Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1qYzk3LWgzaDktN3hoNs4AAygy

Regular Expression Denial of Service in Deno.upgradeWebSocket API

Impact

Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server.

Patches

It is recommended that users upgrade to Deno 1.31.0.

Permalink: https://github.com/advisories/GHSA-jc97-h3h9-7xh6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qYzk3LWgzaDktN3hoNs4AAygy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 12 months ago
Updated: 12 months ago


CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Identifiers: GHSA-jc97-h3h9-7xh6, CVE-2023-26103
References: Repository: https://github.com/denoland/deno

Affected Packages

cargo:deno
Dependent packages: 5
Dependent repositories: 1
Downloads: 121,328 total
Affected Version Ranges: >= 1.12.0, < 1.31.0
Fixed in: 1.31.0
All affected versions: 1.12.0, 1.12.1, 1.12.2, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.14.1, 1.14.2, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.16.4, 1.17.0, 1.17.1, 1.17.2, 1.17.3, 1.18.0, 1.18.1, 1.18.2, 1.19.0, 1.19.1, 1.19.2, 1.19.3, 1.20.1, 1.20.2, 1.20.3, 1.20.4, 1.20.5, 1.20.6, 1.21.0, 1.21.1, 1.21.2, 1.21.3, 1.22.0, 1.22.1, 1.22.2, 1.22.3, 1.23.0, 1.23.1, 1.23.2, 1.23.3, 1.23.4, 1.24.0, 1.24.1, 1.24.2, 1.24.3, 1.25.0, 1.25.1, 1.25.2, 1.25.3, 1.25.4, 1.26.0, 1.26.1, 1.26.2, 1.27.0, 1.27.1, 1.27.2, 1.28.0, 1.28.1, 1.28.2, 1.28.3, 1.29.0, 1.29.1, 1.29.2, 1.29.3, 1.29.4, 1.30.0, 1.30.1, 1.30.2, 1.30.3
All unaffected versions: 0.0.1, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.10, 0.3.11, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.19.0, 0.20.0, 0.21.0, 0.22.0, 0.23.0, 0.29.0, 0.30.0, 0.30.1, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.35.0, 0.36.0, 0.37.0, 0.37.1, 0.38.0, 0.40.0, 0.41.0, 0.42.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.3, 1.4.0, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.7.0, 1.7.1, 1.7.2, 1.7.5, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.11.0, 1.11.1, 1.11.2, 1.11.4, 1.11.5, 1.31.0, 1.31.1, 1.31.2, 1.31.3, 1.32.0, 1.32.1, 1.32.2, 1.32.3, 1.32.4, 1.32.5, 1.33.0, 1.33.1, 1.33.2, 1.33.3, 1.33.4, 1.34.0, 1.34.1, 1.34.2, 1.34.3, 1.35.0, 1.35.1, 1.35.2, 1.35.3, 1.36.0, 1.36.1, 1.36.2, 1.36.3, 1.36.4, 1.37.0, 1.37.1, 1.37.2, 1.38.0, 1.38.1, 1.38.2, 1.38.3, 1.38.4, 1.38.5, 1.39.0, 1.39.1, 1.39.2, 1.39.3, 1.39.4, 1.40.0, 1.40.1, 1.40.2, 1.40.3, 1.40.4, 1.40.5, 1.41.0, 1.41.1, 1.41.2, 1.41.3