Regular Expression Denial of Service

Module: negotiator

Published: June 16th, 2016

Reported by: Adam Baldwin



Vulnerable: <= 0.6.0
Patched: >= 0.6.1


negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa.

The header for "Accept-Language", when parsed by negotiator is vulnerable to Regular Expression Denial of Service via a specially crafted string.


  • April 29th 2016 - Initial report to maintainers
  • April 29th 2016 - Confirm receipt from maintainers
  • May 1st 2016 - Fix confirmed
  • May 5th 2016 - 0.6.1 published with fix
  • June 16th 2016 - Advisory published (delay was to coordinate fixes in upstream frameworks, Koa and Express)


Upgrade to at least version 0.6.1

Express users should update to Express 4.14.0 or greater. If you want to see if you are using a vulnerable call, a quick grep for the acceptsLanguages function call in your application will tell you if you are using this functionality.


Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo