CVE-2024-45590: 
JavaScript vulnerability analysis and mitigation

body-parser, a Node.js body parsing middleware, was found to contain a denial of service vulnerability (CVE-2024-45590) when URL encoding is enabled. The vulnerability affects versions prior to 1.20.3 and was disclosed on September 10, 2024. The issue allows malicious actors to flood the server with specially crafted payloads, potentially causing denial of service conditions (GitHub Advisory).

The vulnerability is related to the depth handling of URL-encoded data parsing. Prior to version 1.20.3, the parser had an infinite depth limit which could be exploited. The issue has been assigned a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified as CWE-405 (Asymmetric Resource Consumption) (GitHub Advisory, NVD).

When exploited, this vulnerability can lead to denial of service conditions by allowing attackers to send specially crafted payloads that consume excessive server resources. The impact primarily affects the availability of the service, with no direct impact on confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in version 1.20.3 of body-parser. The fix includes setting a default depth limit of 32 for parsing URL-encoded data (previously set to Infinity) and adding a new 'depth' option to customize the parsing depth level. Users are recommended to upgrade to version 1.20.3 or later (GitHub Commit).