PT-2018-4718 · Node.Js · Negotiator+2
Published
2018-05-31
·
Updated
2019-10-09
·
CVE-2016-10539
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
negotiator versions 0.6.0 and earlier
Description
The negotiator, an HTTP content negotiator for Node.js, is vulnerable to Regular Expression Denial of Service via a specially crafted string in the "Accept-Language" header. This issue affects many modules and frameworks, including Express and Koa. The vulnerability triggers when parsing a specially crafted
Accept-Language header value.Recommendations
Update to version 0.6.1 or later.
Fix
RCE
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Express
Koa
Negotiator