PT-2018-6145 · Expressjs · Forwarded

Published

2018-06-07

Updated

2019-10-09

CVE-2017-16118

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions: forwarded versions prior to 0.1.2

Description: The issue affects the forwarded module used by the Express.js framework to handle the X-Forwarded-For header. It is susceptible to a regular expression denial of service when passed specially crafted input to parse, causing the event loop to be blocked and resulting in a denial of service condition.

Recommendations: Update to version 0.1.2 or later. As a temporary workaround, consider restricting the input to the forwarded module to minimize the risk of exploitation.

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

AZL-44496

CVE-2017-16118

GHSA-MPCF-4GMH-23W8

Affected Products

Forwarded

PT-2018-6145 · Expressjs · Forwarded

CVE-2017-16118

Weakness Enumeration

Related Identifiers

Affected Products

References · 8