Allocation of Resources Without Limits or Throttling in body-parser - CVE-2026-12590

 

Allocation of Resources Without Limits or Throttling in body-parser - CVE-2026-12590

Published: July 9, 2026


Vulnerability identifier: #VU137284
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-12590
CWE-ID: CWE-770
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Express.js
Affected software:
body-parser

Detailed vulnerability description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in the request body size enforcement logic when handling requests with an invalid limit option value. A remote attacker can send an oversized request body to cause a denial of service.

This issue affects applications that use a programmatically computed or user-configurable limit value without validating it first.


How to mitigate CVE-2026-12590

Install security update from vendor's website.

Sources