GoogleOSV:GHSA-JC97-H3H9-7XH6Regular Expression Denial of Service in Deno.upgradeWebSocket API
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
48.0%
Impact
Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server.
Patches
It is recommended that users upgrade to Deno 1.31.0.
References
github.com/denoland/deno
github.com/denoland/deno/blob/2b247be517d789a37e532849e2e40b724af0918f/ext/http/01_http.js#L395-L409
github.com/denoland/deno/commit/cf06a7c7e672880e1b38598fe445e2c50b4a9d06
github.com/denoland/deno/pull/17722
github.com/denoland/deno/releases/tag/v1.31.0
github.com/denoland/deno/security/advisories/GHSA-jc97-h3h9-7xh6
nvd.nist.gov/vuln/detail/CVE-2023-26103
security.snyk.io/vuln/SNYK-RUST-DENO-3315970
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
48.0%