Body-parser version 1.2.0 represents a minor update to the widely-used Node.js middleware for parsing request bodies, building upon the foundation laid by version 1.1.2. While both versions share the core functionality of handling incoming data in various formats like JSON, URL-encoded, and raw text, a key difference lies in their dependencies. Version 1.2.0 updates the type-is dependency from version 1.1.0 to 1.2.0, potentially introducing enhanced content type checking and improved standards compliance. The other dependencies qs and raw-body remains fixed along with the versions of dev dependencies.
For developers considering an upgrade, this dependency update is the primary point of interest. The type-is library helps determine the media type of a request, influencing how body-parser handles the data. This potentially offers more secure and accurate parsing. Both versions are licensed under the MIT license, providing a developer-friendly open-source agreement. They are maintained by Jonathan Ong as part of the Express.js project. The update also affects the release dates. V1.2.0 was released a day after 1.1.2.
Developers already using body-parser should evaluate whether type-is version 1.2.0 introduces any compatibility issues with their existing code and offers any security advantages. Those starting a new project can safely utilize either version, but staying current is generally recommended for potential bug fixes and feature enhancements, in this case consider version 1.2.0.
All the vulnerabilities related to the version 1.2.0 of the package
body-parser vulnerable to denial of service when url encoding is enabled
body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.
this issue is patched in 1.20.3
Denial-of-Service Extended Event Loop Blocking in qs
Versions prior to 1.0.0 of qs are affected by a denial of service vulnerability that results from excessive recursion in parsing a deeply nested JSON string.
Update to version 1.0.0 or later
Denial-of-Service Memory Exhaustion in qs
Versions prior to 1.0 of qs are affected by a denial of service condition. This condition is triggered by parsing a crafted string that deserializes into very large sparse arrays, resulting in the process running out of memory and eventually crashing.
Update to version 1.0.0 or later.
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input
Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Update to version 2.0.3 or later.
