Regular Expression Denial of Service

Module: fresh

Published: September 26th, 2017

Reported by: Cristian-Alexandru Staicu



Vulnerable: < 0.5.2
Patched: >= 0.5.2


Fresh is a module used by the Express.js framework for 'HTTP response freshness testing'. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.


If you are using this module via express, upgrade to Express version 4.15.5 or greater.

Upgrade to 0.5.2 or greater

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo