Total
3381 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-16138 | 2 Mime Project, Redhat | 2 Mime, Quay | 2024-11-21 | N/A |
| The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input. | ||||
| CVE-2017-16137 | 2 Debug Project, Redhat | 2 Debug, Quay | 2024-11-21 | N/A |
| The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue. | ||||
| CVE-2017-16136 | 1 Expressjs | 1 Method-override | 2024-11-21 | N/A |
| method-override is a module used by the Express.js framework to let you use HTTP verbs such as PUT or DELETE in places where the client doesn't support it. method-override is vulnerable to a regular expression denial of service vulnerability when specially crafted input is passed in to be parsed via the X-HTTP-Method-Override header. | ||||
| CVE-2017-16129 | 1 Superagent Project | 1 Superagent | 2024-11-21 | N/A |
| The HTTP client module superagent is vulnerable to ZIP bomb attacks. In a ZIP bomb attack, the HTTP server replies with a compressed response that becomes several magnitudes larger once uncompressed. If a client does not take special care when processing such responses, it may result in excessive CPU and/or memory consumption. An attacker might exploit such a weakness for a DoS attack. To exploit this the attacker must control the location (URL) that superagent makes a request to. | ||||
| CVE-2017-16119 | 1 Fresh Project | 1 Fresh | 2024-11-21 | N/A |
| Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition. | ||||
| CVE-2017-16118 | 1 Forwarded Project | 1 Forwarded | 2024-11-21 | N/A |
| The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition. | ||||
| CVE-2017-16117 | 1 Slug Project | 1 Slug | 2024-11-21 | N/A |
| slug is a module to slugify strings, even if they contain unicode. slug is vulnerable to regular expression denial of service is specially crafted untrusted input is passed as input. About 50k characters can block the event loop for 2 seconds. | ||||
| CVE-2017-16116 | 1 String Project | 1 String | 2024-11-21 | 7.5 High |
| The string module is a module that provides extra string operations. The string module is vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods. | ||||
| CVE-2017-16115 | 1 Timespan Project | 1 Timespan | 2024-11-21 | 7.5 High |
| The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds. | ||||
| CVE-2017-16114 | 1 Marked Project | 1 Marked | 2024-11-21 | N/A |
| The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds. | ||||
| CVE-2017-16113 | 1 Parsejson Project | 1 Parsejson | 2024-11-21 | N/A |
| The parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed. | ||||
| CVE-2017-16111 | 1 Content Project | 1 Content | 2024-11-21 | N/A |
| The content module is a module to parse HTTP Content-* headers. It is used by the hapijs framework to provide this functionality. The module is vulnerable to regular expression denial of service when passed a specifically crafted Content-Type or Content-Disposition header. | ||||
| CVE-2017-16099 | 1 No-case Project | 1 No-case | 2024-11-21 | 7.5 High |
| The no-case module is vulnerable to regular expression denial of service. When malicious untrusted user input is passed into no-case it can block the event loop causing a denial of service condition. | ||||
| CVE-2017-16098 | 1 Charset Project | 1 Charset | 2024-11-21 | N/A |
| charset 1.0.0 and below are vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds. Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= option the default header max length is 80kb, so the impact of the ReDoS is relatively low. | ||||
| CVE-2017-16086 | 1 Ua-parser Project | 1 Ua-parser | 2024-11-21 | N/A |
| ua-parser is a port of Browserscope's user agent parser. ua-parser is vulnerable to a ReDoS (Regular Expression Denial of Service) attack when given a specially crafted UserAgent header. | ||||
| CVE-2017-16030 | 1 Useragent Project | 1 Useragent | 2024-11-21 | N/A |
| Useragent is used to parse useragent headers. It uses several regular expressions to accomplish this. An attacker could edit their own headers, creating an arbitrarily long useragent string, causing the event loop and server to block. This affects Useragent 2.1.12 and earlier. | ||||
| CVE-2017-16025 | 1 Hapijs | 1 Nes | 2024-11-21 | N/A |
| Nes is a websocket extension library for hapi. Hapi is a webserver framework. Versions below and including 6.4.0 have a denial of service vulnerability via an invalid Cookie header. This is only present when websocket authentication is set to `cookie`. Submitting an invalid cookie on the websocket upgrade request will cause the node process to error out. | ||||
| CVE-2017-16023 | 1 Decamelize Project | 1 Decamelize | 2024-11-21 | N/A |
| Decamelize is used to convert a dash/dot/underscore/space separated string to camelCase. Decamelize 1.1.0 through 1.1.1 uses regular expressions to evaluate a string and takes unescaped separator values, which can be used to create a denial of service attack. | ||||
| CVE-2017-16021 | 1 Garycourt | 1 Uri-js | 2024-11-21 | 6.5 Medium |
| uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU to idle at 100% usage while uri-js is trying to validate if the supplied URL is valid or not. To check if you're vulnerable, look for a call to `require("uri-js").parse()` where a user is able to send their own input. This affects uri-js 2.1.1 and earlier. | ||||
| CVE-2017-16013 | 1 Hapijs | 1 Hapi | 2024-11-21 | N/A |
| hapi is a web and services application framework. When hapi >= 15.0.0 <= 16.1.0 encounters a malformed `accept-encoding` header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached. | ||||