Regular Expression Denial of Service

Module: negotiator

Published: June 16th, 2016

Reported by: Adam Baldwin

CVE-NONE

CWE-400

Vulnerable: <= 0.6.0
Patched: >= 0.6.1

Overview

Affected versions of negotiator are vulnerable to regular expression denial of service attacks, which trigger upon parsing a specially crafted Accept-Language header value.

Remediation

Update to version 0.6.1 or later.