Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS04eDZjLWN2M3YtdnA2Z84AAxiJ

Withdrawn: cacheable-request depends on http-cache-semantics, which is vulnerable to Regular Expression Denial of Service

This advisory is withdawn.

cacheable-request depends on http-cache-semanttics, which contains an Inefficient Regular Expression Complexity in versions prior to 4.1.1 of that package. cacheable-request has been updated to rely on the fixed version in 10.2.7.

Summary of http-cache-semantics vulnerability

http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

Details

https://github.com/advisories/GHSA-rc47-6667-2j5j

Permalink: https://github.com/advisories/GHSA-8x6c-cv3v-vp6g
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04eDZjLWN2M3YtdnA2Z84AAxiJ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: 5 months ago

Widthdrawn: over 1 year ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-8x6c-cv3v-vp6g
References:

• https://github.com/jaredwray/cacheable-request/security/advisories/GHSA-8x6c-cv3v-vp6g
• https://github.com/jaredwray/cacheable-request/commit/8a47777e4eb61960469873cf4b3a2823742fc15e
• https://github.com/advisories/GHSA-rc47-6667-2j5j
• https://github.com/advisories/GHSA-8x6c-cv3v-vp6g

Repository: https://github.com/jaredwray/cacheable-request
Blast Radius: 45.2

Affected Packages