PT-2023-20490 · Deno · Deno
Alessio Della Libera
+1
·
Publicado
2023-02-25
·
Atualizado
2025-03-11
·
CVE-2023-26103
CVSS v3.1
7.5
Alta
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
deno versions prior to 1.31.0
Description
The issue is related to Regular Expression Denial of Service (ReDoS) due to the
upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server.Recommendations
For deno versions prior to 1.31.0, it is recommended that users upgrade to Deno 1.31.0. As a temporary workaround, consider restricting access to the
upgradeWebSocket function until a patch is available. Avoid using the Connection/Upgrade header with specially crafted values in the affected API endpoint until the issue is resolved.Exploit
Correção
DoS
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Deno