Regular Expression Denial of Service

Module: forwarded

Published: September 26th, 2017

Reported by: Cristian-Alexandru Staicu

CVE-NONE

Vulnerable: < 0.1.2
Patched: >= 0.1.2

Overview

The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

Remediation

If you are using this module via express, upgrade to Express version 4.15.5 or greater.

Upgrade to 0.1.2 or greater

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo