PT-2023-20490 · Deno · Deno

Alessio Della Libera

Published

2023-02-25

Updated

2025-03-11

CVE-2023-26103

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions deno versions prior to 1.31.0

Description The issue is related to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server.

Recommendations For deno versions prior to 1.31.0, it is recommended that users upgrade to Deno 1.31.0. As a temporary workaround, consider restricting access to the upgradeWebSocket function until a patch is available. Avoid using the Connection/Upgrade header with specially crafted values in the affected API endpoint until the issue is resolved.

Exploit

Fix

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1333

Related Identifiers

CVE-2023-26103

GHSA-JC97-H3H9-7XH6

GHSA-XR9W-X6GW-C9MJ

Affected Products

Deno

PT-2023-20490 · Deno · Deno

CVE-2023-26103

Weakness Enumeration

Related Identifiers

Affected Products

References · 14