-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaScriptJavaScriptMiggo AIRoot Cause AnalysisThe vulnerability lies in the unbounded recursion depth when parsing URL-encoded data, specifically when the extended option is true, which uses the qs library. The commit b2695c4450f06ba3b0ccf48d872a229bb41c9bce addresses this by introducing a depth option.
extendedparser function in lib/types/urlencoded.js: This function directly calls qs.parse. Before the patch, the depth option for qs.parse was set to Infinity (as indicated by the removed line depth: Infinity,). This allowed for an unlimited nesting level in the input, leading to the DoS. The patch changes this to use a configurable depth (defaulting to 32) and adds strictDepth: true.
urlencoded function in lib/types/urlencoded.js: This is the main factory function for the middleware. It was modified to accept the new depth option and pass it down to the actual parsing functions (like extendedparser via the read function and its options). Before this change, it implicitly allowed the extendedparser to use an infinite depth.
Both functions are critical. extendedparser is where the vulnerable call to qs.parse with depth: Infinity happened. urlencoded is the public API that sets up this vulnerable configuration. During exploitation, both would likely appear in a stack trace, with urlencoded calling into logic that eventually uses extendedparser.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| body-parser | npm | < 1.20.3 | 1.20.3 |
Ongoing coverage of React2Shell