GHSA-8x6c-cv3v-vp6g – cacheable-request

Package

Manager: npm
Name: cacheable-request
Vulnerable Version: <0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: N/A

EPSS: N/A pctlN/A

Details

Withdrawn: cacheable-request depends on http-cache-semantics, which is vulnerable to Regular Expression Denial of Service ## This advisory is withdawn. cacheable-request depends on http-cache-semanttics, which contains an Inefficient Regular Expression Complexity in versions prior to 4.1.1 of that package. cacheable-request has been updated to rely on the fixed version in 10.2.7. ### Summary of http-cache-semantics vulnerability http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library. ### Details https://github.com/advisories/GHSA-rc47-6667-2j5j

Metadata

Created: 2023-02-11T00:13:31Z
Modified: 2023-02-14T02:40:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-8x6c-cv3v-vp6g/GHSA-8x6c-cv3v-vp6g.json
CWE IDs: ["CWE-1333"]
Alternative ID: N/A
Finding: N/A
Auto approve: 0