CVE-2023-26103
Summary
| CVE | CVE-2023-26103 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-02-25 05:15:00 UTC |
| Updated | 2023-11-07 04:09:00 UTC |
| Description | Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server. |
Risk And Classification
Problem Types: CWE-1333
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Release v1.31.0 · denoland/deno · GitHub | MISC | github.com | |
| github.com/denoland/deno/blob/2b247be517d789a37e532849e2e40b724af0918f/e... | MISC | github.com | |
| Regular Expression Denial of Service (ReDoS) in deno | CVE-2023-26103 | Snyk | MISC | security.snyk.io | |
| refactor(ext/http): use `String.prototype.trim()` instead of regex (#… · denoland/deno@cf06a7c · GitHub | MISC | github.com | |
| refactor(ext/http): use String.prototype.trim() instead of regex by piscisaureus · Pull Request #17722 · denoland/deno · GitHub | MISC | github.com | |
| deno/01_http.js at 2b247be517d789a37e532849e2e40b724af0918f · denoland/deno · GitHub | MITRE | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 996225 Rust (Rust) Security Update for deno (GHSA-jc97-h3h9-7xh6)