CVE-2024-45590

body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce	Patch
https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openjsf:body-parser:*:*:*:*:*:node.js:*:*

History

20 Sep 2024, 16:26

Type	Values Removed	Values Added
References	~~() https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce -~~	() https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce - Patch
References	~~() https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7 -~~	() https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7 - Vendor Advisory
CPE		cpe:2.3:a:openjsf:body-parser::::::node.js::*
First Time		Openjsf Openjsf body-parser
CWE		NVD-CWE-noinfo

10 Sep 2024, 17:43

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-10 16:15

Updated : 2024-09-20 16:26

NVD link : CVE-2024-45590

Mitre link : CVE-2024-45590

CVE.ORG link : CVE-2024-45590

JSON object : View

Products Affected

openjsf

body-parser

CWE

NVD-CWE-noinfo CWE-405

Asymmetric Resource Consumption (Amplification)

{"id": "CVE-2024-45590", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-09-10T16:15:21.083", "references": [{"url": "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-405"}]}], "descriptions": [{"lang": "en", "value": "body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3."}, {"lang": "es", "value": "body-parser es un middleware de an\u00e1lisis de cuerpo de Node.js. body-parser en versiones anteriores a la 1.20.3 es vulnerable a la denegaci\u00f3n de servicio cuando la codificaci\u00f3n de URL est\u00e1 habilitada. Un actor malintencionado que utilice un payload especialmente manipulado podr\u00eda inundar el servidor con una gran cantidad de solicitudes, lo que provocar\u00eda una denegaci\u00f3n de servicio. Este problema se solucion\u00f3 en la versi\u00f3n 1.20.3."}], "lastModified": "2024-09-20T16:26:44.977", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openjsf:body-parser:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "42A6B188-985D-4F15-B31B-46D67F4E3F07", "versionEndExcluding": "1.20.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}