Описание
Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server.
Ссылки
- Broken Link
- Patch
- Patch
- Release Notes
- ExploitTechnical DescriptionThird Party Advisory
- Broken Link
- Patch
- Patch
- Release Notes
- ExploitTechnical DescriptionThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 1.31.0 (исключая)
cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*
EPSS
Процентиль: 32%
0.00123
Низкий
5.3 Medium
CVSS3
7.5 High
CVSS3
Дефекты
CWE-1333
CWE-1333
CWE-1333
Связанные уязвимости
CVSS3: 5.3
github
почти 3 года назад
Regular Expression Denial of Service in Deno.upgradeWebSocket API
EPSS
Процентиль: 32%
0.00123
Низкий
5.3 Medium
CVSS3
7.5 High
CVSS3
Дефекты
CWE-1333
CWE-1333
CWE-1333