Regular Expression Denial of Service
Published: June 16th, 2016
Reported by: Adam Baldwin
negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa.
The header for "Accept-Language", when parsed by negotiator is vulnerable to Regular Expression Denial of Service via a specially crafted string.
- April 29th 2016 - Initial report to maintainers
- April 29th 2016 - Confirm receipt from maintainers
- May 1st 2016 - Fix confirmed
- May 5th 2016 - 0.6.1 published with fix
- June 16th 2016 - Advisory published (delay was to coordinate fixes in upstream frameworks, Koa and Express)
Upgrade to at least version 0.6.1
Express users should update to Express 4.14.0 or greater. If you want to see if you are using a vulnerable call, a quick grep for the
acceptsLanguages function call in your application will tell you if you are using this functionality.