Vulnerability Description
Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Deno | Deno | < 1.31.0 |
Related Weaknesses (CWE)
References
- https://github.com/denoland/deno/blob/2b247be517d789a37e532849e2e40b724af0918f/eBroken Link
- https://github.com/denoland/deno/commit/cf06a7c7e672880e1b38598fe445e2c50b4a9d06Patch
- https://github.com/denoland/deno/pull/17722Patch
- https://github.com/denoland/deno/releases/tag/v1.31.0Release Notes
- https://security.snyk.io/vuln/SNYK-RUST-DENO-3315970ExploitTechnical DescriptionThird Party Advisory
- https://github.com/denoland/deno/blob/2b247be517d789a37e532849e2e40b724af0918f/eBroken Link
- https://github.com/denoland/deno/commit/cf06a7c7e672880e1b38598fe445e2c50b4a9d06Patch
- https://github.com/denoland/deno/pull/17722Patch
- https://github.com/denoland/deno/releases/tag/v1.31.0Release Notes
- https://security.snyk.io/vuln/SNYK-RUST-DENO-3315970ExploitTechnical DescriptionThird Party Advisory
FAQ
What is CVE-2023-26103?
CVE-2023-26103 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for ...
How severe is CVE-2023-26103?
CVE-2023-26103 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-26103?
Check the references section above for vendor advisories and patch information. Affected products include: Deno Deno.