CVE-2023-26103

Exploit

EPSS 0.15%
Veröffentlicht 25.02.2023 05:15:12
Zuletzt bearbeitet 11.03.2025 16:15:14
Quelle report@snyk.io
CVE-Watchlists
Login
Unerledigt
Login

Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Deno ≫ Deno Version < 1.31.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.15%	0.349

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
report@snyk.io	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

https://github.com/denoland/deno/blob/2b247be517d789a37e532849e2e40b724af0918f/ext/http/01_http.js%23L395-L409

Broken Link

https://github.com/denoland/deno/commit/cf06a7c7e672880e1b38598fe445e2c50b4a9d06

Patch

https://github.com/denoland/deno/pull/17722

Patch

https://github.com/denoland/deno/releases/tag/v1.31.0

Release Notes

https://security.snyk.io/vuln/SNYK-RUST-DENO-3315970

Third Party Advisory

Exploit

Technical Description