Headline
GHSA-8x6c-cv3v-vp6g: cacheable-request depends on http-cache-semantics, which is vulnerable to Regular Expression Denial of Service
cacheable-request depends on http-cache-semanttics, which contains an Inefficient Regular Expression Complexity in versions prior to 4.1.1 of that package. cacheable-request has been updated to rely on the fixed version in 10.2.7.
Summary of http-cache-semantics vulnerability
http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Details
https://github.com/advisories/GHSA-rc47-6667-2j5j
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-8x6c-cv3v-vp6g
cacheable-request depends on http-cache-semantics, which is vulnerable to Regular Expression Denial of Service
Package
npm cacheable-request (npm)
Affected versions
< 10.2.7
cacheable-request depends on http-cache-semanttics, which contains an Inefficient Regular Expression Complexity in versions prior to 4.1.1 of that package. cacheable-request has been updated to rely on the fixed version in 10.2.7.
Summary of http-cache-semantics vulnerability
http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Details
GHSA-rc47-6667-2j5j
References
- GHSA-8x6c-cv3v-vp6g
- jaredwray/cacheable-request@8a47777
- GHSA-rc47-6667-2j5j
Last updated
Feb 11, 2023
Published to the GitHub Advisory Database
Feb 11, 2023