CVE-2023-26103

Exploit

EPSS 1.23%
Veröffentlicht 25.02.2023 05:15:12
Zuletzt bearbeitet 11.03.2025 16:15:14
Quelle report@snyk.io
CVE-Watchlists
Login
Unerledigt
Login

Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Deno ≫ Deno Version < 1.31.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.23%	0.65

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
report@snyk.io	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

https://github.com/denoland/deno/blob/2b247be517d789a37e532849e2e40b724af0918f/ext/http/01_http.js%23L395-L409

Broken Link

https://github.com/denoland/deno/commit/cf06a7c7e672880e1b38598fe445e2c50b4a9d06

Patch

https://github.com/denoland/deno/pull/17722

Patch

https://github.com/denoland/deno/releases/tag/v1.31.0

Release Notes

https://security.snyk.io/vuln/SNYK-RUST-DENO-3315970

Third Party Advisory

Exploit

Technical Description

https://nvd.nist.gov/vuln/detail/CVE-2023-26103

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-26103

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-26103

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-26103