Regular Expression Denial of Service

Module: hawk

Published: January 19th, 2016

Reported by: Adam Baldwin

CVE-2016-2515

CWE-400

Vulnerable: < 3.1.3 || >= 4.0.0 <4.1.1
Patched: >=3.1.3 < 4.0.0 || >=4.1.1

Overview

Versions of hawk prior to 3.1.3, or 4.x prior to 4.1.1 are affected by a regular expression denial of service vulnerability related to excessively long headers and URI's.

Remediation

Update to hawk version 4.1.1 or later.

References

Issue #168