GHSA-xr9w-x6gw-c9mj – deno

Package

Manager: cargo
Name: deno
Vulnerable Version: <0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: N/A

EPSS: N/A pctlN/A

Details

Duplicate advisory: Deno vulnerable to Regular Expression Denial of Service ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of [GHSA-jc97-h3h9-7xh6](https://github.com/advisories/GHSA-jc97-h3h9-7xh6). This link is maintained to preserve external references. ## Original Description Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server. This issue has been patched in version 1.31.0.

Metadata

Created: 2023-02-25T06:30:21Z
Modified: 2023-04-03T17:18:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-xr9w-x6gw-c9mj/GHSA-xr9w-x6gw-c9mj.json
CWE IDs: ["CWE-1333"]
Alternative ID: N/A
Finding: N/A
Auto approve: 0