Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS04eDZjLWN2M3YtdnA2Z84AAxiJ

Withdrawn: cacheable-request depends on http-cache-semantics, which is vulnerable to Regular Expression Denial of Service

This advisory is withdawn.

cacheable-request depends on http-cache-semanttics, which contains an Inefficient Regular Expression Complexity in versions prior to 4.1.1 of that package. cacheable-request has been updated to rely on the fixed version in 10.2.7.

Summary of http-cache-semantics vulnerability

http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

Details

https://github.com/advisories/GHSA-rc47-6667-2j5j

Permalink: https://github.com/advisories/GHSA-8x6c-cv3v-vp6g
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04eDZjLWN2M3YtdnA2Z84AAxiJ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 1 month ago

Widthdrawn: about 1 year ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-8x6c-cv3v-vp6g
References: Repository: https://github.com/jaredwray/cacheable-request
Blast Radius: 45.2

Affected Packages

npm:cacheable-request
Dependent packages: 496
Dependent repositories: 1,073,088
Downloads: 68,764,270 last month
Affected Version Ranges: < 10.2.7
Fixed in: 10.2.7
All affected versions: 0.0.0, 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 3.0.0, 4.0.0, 4.0.1, 5.0.0, 5.1.0, 5.2.0, 5.2.1, 6.0.0, 6.1.0, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 8.0.0, 8.0.1, 8.3.0, 8.3.1, 9.0.0, 10.0.0, 10.0.1, 10.0.2, 10.1.2, 10.2.0, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6
All unaffected versions: 10.2.7, 10.2.8, 10.2.9, 10.2.10, 10.2.11, 10.2.12, 10.2.13, 10.2.14, 11.0.0, 12.0.0, 12.0.1