GHSA-44pw-h2cw-w3vq

Suggest an improvement
Source
https://github.com/advisories/GHSA-44pw-h2cw-w3vq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-44pw-h2cw-w3vq/GHSA-44pw-h2cw-w3vq.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-44pw-h2cw-w3vq
Aliases
Published
2022-05-23T20:18:14Z
Modified
2023-11-01T05:16:50.412875Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H CVSS Calculator
Summary
Uncontrolled Resource Consumption in Hawk
Details

Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse Host HTTP header (Hawk.utils.parseHost()), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. parseHost() was patched in 9.0.1 to use built-in URL class to parse hostname instead.Hawk.authenticate() accepts options argument. If that contains host and port, those would be used instead of a call to utils.parseHost().

Database specific
{
    "nvd_published_at": "2022-05-05T23:15:00Z",
    "cwe_ids": [
        "CWE-1333",
        "CWE-400"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-23T20:18:14Z"
}
References

Affected packages

npm / hawk

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.1

Ecosystem specific

{
    "affected_functions": [
        "(hawk).utils.parseHost"
    ]
}