wid-sec-w-2026-0924 · Published 2026-03-30 · View on BSI CERT-Bund ↗

IBM DataPower Gateway: Multiple Vulnerabilities

CVSS 6.5 MEDIUM

Risk Summary

body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic. This issue is addressed in version 2.2.1.

CVEs (2)

CVE-2025-13466 CVE-2025-36375

Affected Vendors

IBM

Affected Products (8)

IBM · DataPower Gateway <11.0.0.0

IBM · DataPower Gateway 11.0.0.0

IBM · DataPower Gateway <10.6.0.9

IBM · DataPower Gateway 10.6.0.9

IBM · DataPower Gateway <10.6.6.0

IBM · DataPower Gateway 10.6.6.0

IBM · DataPower Gateway <10.5.0.21

IBM · DataPower Gateway 10.5.0.21

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more