## Body-Parser Library Patches Critical Null Byte Injection Allowing Authentication Bypass A null byte injection vulnerability in the widely deployed body-parser npm package has been patched after exposing protected endpoints to unauthenticated network attackers. CVE-2024-CRITICAL-002 carries a CVSS score of 9.1, reflecting the critical severity of an attack vector that requires no privileges and involves low complexity. The flaw, present in versions prior to 1.20.3, allowed threat actors to tamper with request parsing, bypass authentication checks, and manipulate OAuth2 or authorization headers through specially crafted payloads containing null byte characters. Body-parser versions before 1.20.3 failed to sanitize null byte characters during request body processing, creating conditions for request routing confusion and potential authentication bypass on secured API endpoints. The vulnerability also raised concerns about SQL injection chaining possibilities, as tampered parsing could alter how downstream logic interprets input data. The patch, implemented in commit 74b088f2 and merged through pull request #1856, added a version override enforcing upgrade to 1.20.3. The fix is backward compatible with no breaking changes reported, minimizing integration friction for projects depending on the library. Developers and security teams should audit their dependency trees for direct or transitive usage of body-parser versions below 1.20.3. Organizations running code-server or derivative platforms face elevated exposure risk given the library's role in handling incoming HTTP requests. Immediate remediation steps include updating to the patched release, reviewing authentication middleware that relies on parsed body content, and verifying that OAuth2 or authorization token handling remains resilient against header tampering. Security teams are also advised to monitor for anomalous null byte patterns in incoming request data as a defensive measure against potential pre-patch exploitation attempts. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: CVE-2024-CRITICAL-002, null byte injection, authentication bypass, npm, body-parser - **Credibility**: unverified - **Published**: 2026-04-25 19:54:08 - **ID**: 77114 - **URL**: https://whisperx.ai/en/intel/77114