CVE-2022-29167

Name of the Vulnerable Software and Affected Versions Hawk versions prior to 9.0.1

Description Hawk is an HTTP authentication scheme that provides mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response. It was found to be vulnerable to a regular expression DoS attack due to the use of a regular expression to parse the Host HTTP header in the Hawk.utils.parseHost() function. This vulnerability allows an attacker to increase the computation time exponentially with each added character in the input. The parseHost() function was patched in version 9.0.1 to use the built-in URL class to parse the hostname instead. The Hawk.authenticate() function accepts an options argument, and if it contains host and port, those will be used instead of a call to utils.parseHost().

Recommendations For versions prior to 9.0.1, update to version 9.0.1 or later to fix the vulnerability. As a temporary workaround, consider passing host and port in the options argument to Hawk.authenticate() to avoid the use of utils.parseHost().