Regular Expression Denial of Service

Module: forwarded

Published: September 26th, 2017

Reported by: Cristian-Alexandru Staicu



Vulnerable: < 0.1.2
Patched: >= 0.1.2


The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.


If you are using this module via express, upgrade to Express version 4.15.5 or greater.

Upgrade to 0.1.2 or greater

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo