Headline

GHSA-xr9w-x6gw-c9mj: Deno vulnerable to Regular Expression Denial of Service

Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s,s/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server. This issue has been patched in version 1.31.0.

1 year ago

ghsa

Open in Source

#web #dos #git

Deno vulnerable to Regular Expression Denial of Service

Moderate severity GitHub Reviewed Published Feb 25, 2023 to the GitHub Advisory Database • Updated Feb 28, 2023

### Impact Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server. ### Patches It is recommended that users upgrade to Deno 1.31.0.

1 year ago

ghsa

Open in Source

#web #dos #git

CVE-2023-26103: refactor(ext/http): use String.prototype.trim() instead of regex by piscisaureus · Pull Request #17722 · denoland/deno

Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server.

1 year ago

CVE

Open in Source

#web #dos #git