-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
Vulnerability
Regular Expression Denial of Service
CVSS Score
7.5
Current Negotiator Version
0.5.3
Vulnerable Negotiator Versions
<= 0.6.0
Patched Negotiator Versions
>= 0.6.1
Recommendation
Upgrade to at least version 0.6.1 Express users should update to Express 4.14.0 or greater. If you want to see if you are using a vulnerable call, a quick grep for the `acceptsLanguages` function call in your application will tell you if you are using this functionality.
Advisory
https://nodesecurity.io/advisories/106
Affected Module Tree
- fh-metrics@2.0.0-368
- express@4.13.3
- accepts@1.2.13
- negotiator@0.5.3
How do i read this?
The list above shows which modules are referencing each other using their package.json. The last module in the list is the vulnerable module. Updating the vulnerable modules version in the module above which is directly referencing can fix the vulnerability.
Description
negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator is vulnerable to Regular Expression Denial of Service via a specially crafted string. Timeline - April 29th 2016 - Initial report to maintainers - April 29th 2016 - Confirm receipt from maintainers - May 1st 2016 - Fix confirmed - May 5th 2016 - 0.6.1 published with fix - June 16th 2016 - Advisory published (delay was to coordinate fixes in upstream frameworks, Koa and Express)
