CVE-2024-45590

HIGH LAB

body-parser < 1.20.3 - Denial of Service via URL Encoding

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-45590. PoCs published by Evillm, dhruvik-git.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2024-45590, demonstrating unauthenticated RCE via arbitrary file upload in a vulnerable WordPress plugin. The PoC includes a Dockerized environment for testing and a Python-based scanner that uploads a PHP shell and executes commands.

Description

body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.

Exploits (2)

nomisec WORKING POC

by Evillm · poc

https://github.com/Evillm/CVE-2024-45590-PoC

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2024-45590, demonstrating unauthenticated RCE via arbitrary file upload in a vulnerable WordPress plugin. The PoC includes a Dockerized environment for testing and a Python-based scanner that uploads a PHP shell and executes commands.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WordPress Plugin (vulnerable-plugin)

No auth needed

Prerequisites: Access to the vulnerable WordPress plugin endpoint · Network connectivity to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC

by dhruvik-git · poc

https://github.com/dhruvik-git/CVE-2024-45590

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2024-45590, which targets a vulnerability likely related to JSON or form data parsing. The script sends deeply nested or large payloads to trigger a denial-of-service (DoS) condition.

Classification

Working Poc 90%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: Unknown (likely a web application or API)

No auth needed

Prerequisites: Network access to the target API endpoint

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7

Patch x_refsource_misc

https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0154

EPSS Percentile 81.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Lab Environment

COMMUNITY

Community Lab

docker pull wordpress:6.5-php8.2-apache

https://github.com/dhruvik-git/CVE-2024-45590

https://github.com/Evillm/CVE-2024-45590-PoC

https://github.com/expressjs/body-parser

View in Library

Details

CWE

CWE-405

Status published

Products (2)

npm/body-parser 0 - 1.20.3npm

openjsf/body-parser < 1.20.3

Published Sep 10, 2024

Tracked Since Feb 18, 2026