Body-parser is a crucial piece of middleware for Node.js applications, streamlining the process of handling incoming request bodies. Looking at versions 1.9.2 and 1.9.3, subtle yet important differences emerge that impact developers. Version 1.9.3, released on November 22, 2014, incorporates updates to its dependencies, most notably upgrading qs from version 2.3.2 to 2.3.3, type-is from 1.5.2 to 1.5.3, raw-body from 1.3.0 to 1.3.1, and iconv-lite from 0.4.4 to 0.4.5. These dependency updates likely address bug fixes, performance improvements, or security patches within those respective libraries, which, while seemingly minor, contribute to the overall stability and reliability of body-parser. While version 1.9.2 depended on supertest version ~0.14.0 for integration tests, version 1.9.3 saw it upgrade to ~0.15.0, and also removed should as a dev dependency. Developers should always upgrade body-parser to the latest stable version, such as 1.9.3 when it was released, to benefit from these incremental improvements. The release frequency suggests active maintenance and attention to detail, instilling confidence in its robustness for production environments. Consider consulting the changelogs of the upgraded dependencies for a detailed breakdown of the specific changes introduced in version 1.9.3.
All the vulnerabilities related to the version 1.9.3 of the package
body-parser vulnerable to denial of service when url encoding is enabled
body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.
this issue is patched in 1.20.3
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
