NodeJS/negotiator/0.2.8


HTTP content negotiation

https://www.npmjs.com/package/negotiator
MIT

2 Security Vulnerabilities

Regular Expression Denial of Service in negotiator

Published date: 2018-10-09T00:30:30Z
CVE: CVE-2016-10539
Links:

Affected versions of negotiator are vulnerable to regular expression denial of service attacks, which trigger upon parsing a specially crafted Accept-Language header value.

Recommendation

Update to version 0.6.1 or later.

Affected versions: ["0.1.0", "0.2.3", "0.2.4", "0.2.5", "0.2.6", "0.2.7", "0.2.8", "0.3.0", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.4.5", "0.4.6", "0.4.7", "0.4.8", "0.4.9", "0.5.0", "0.5.1", "0.5.2", "0.5.3", "0.6.0"]
Secure versions: [0.6.1, 0.6.2, 0.6.3]
Recommendation: Update to version 0.6.3.

Regular Expression Denial of Service

Published date: 2016-06-16
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Coordinating vendor: ^Lift Security
Links:

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa.

The header for Accept-Language, when parsed by negotiator is vulnerable to Regular Expression Denial of Service via a specially crafted string.

Timeline

  • April 29th 2016 - Initial report to maintainers
  • April 29th 2016 - Confirm receipt from maintainers
  • May 1st 2016 - Fix confirmed
  • May 5th 2016 - 0.6.1 published with fix
  • June 16th 2016 - Advisory published (delay was to coordinate fixes in upstream frameworks, Koa and Express)

Affected versions: ["0.1.0", "0.2.3", "0.2.4", "0.2.5", "0.2.6", "0.2.7", "0.2.8", "0.3.0", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.4.5", "0.4.6", "0.4.7", "0.4.8", "0.4.9", "0.5.0", "0.5.1", "0.5.2", "0.5.3", "0.6.0"]
Secure versions: [0.6.1, 0.6.2, 0.6.3]
Recommendation: Upgrade to at least version 0.6.1 Express users should update to Express 4.14.0 or greater. If you want to see if you are using a vulnerable call, a quick grep for the `acceptsLanguages` function call in your application will tell you if you are using this functionality.

26 Other Versions

Version License Security Released
0.6.3 MIT 2022-01-23 - 01:50 about 2 years
0.6.2 MIT 2019-04-30 - 00:30 almost 5 years
0.6.1 MIT 2016-05-03 - 04:47 almost 8 years
0.6.0 MIT 2 2015-09-30 - 01:21 over 8 years
0.5.3 MIT 2 2015-05-11 - 02:19 almost 9 years
0.5.2 MIT 2 2015-05-07 - 05:18 almost 9 years
0.5.1 MIT 2 2015-02-15 - 01:54 about 9 years
0.5.0 MIT 2 2014-12-19 - 04:05 over 9 years
0.4.9 MIT 2 2014-10-15 - 04:39 over 9 years
0.4.8 MIT 2 2014-09-28 - 21:46 over 9 years
0.4.7 MIT 2 2014-06-24 - 22:32 almost 10 years
0.4.6 MIT 2 2014-06-11 - 19:36 almost 10 years
0.4.5 MIT 2 2014-05-29 - 15:53 almost 10 years
0.4.4 MIT 2 2014-05-29 - 15:19 almost 10 years
0.4.3 MIT 2 2014-04-16 - 14:12 almost 10 years
0.4.2 MIT 2 2014-03-01 - 03:06 about 10 years
0.4.1 MIT 2 2014-01-16 - 17:02 about 10 years
0.4.0 MIT 2 2014-01-09 - 15:23 about 10 years
0.3.0 MIT 2 2013-10-18 - 20:12 over 10 years
0.2.8 MIT 2 2013-09-19 - 18:33 over 10 years
0.2.7 MIT 2 2013-08-11 - 04:12 over 10 years
0.2.6 MIT 2 2013-06-05 - 14:20 almost 11 years
0.2.5 MIT 2 2012-08-11 - 18:16 over 11 years
0.2.4 MIT 2 2012-06-02 - 21:48 almost 12 years
0.2.3 MIT 2 2012-04-24 - 21:37 almost 12 years
0.1.0 MIT 2 2012-01-26 - 17:25 about 12 years