NodeJS/negotiator/0.6.0
HTTP content negotiation
https://www.npmjs.com/package/negotiator
MIT
2 Security Vulnerabilities
Regular Expression Denial of Service in negotiator
Published date: 2018-10-09T00:30:30Z
CVE: CVE-2016-10539
Links:
Affected versions of negotiator are vulnerable to regular expression denial of service attacks, which trigger upon parsing a specially crafted Accept-Language header value.
Recommendation
Update to version 0.6.1 or later.
Affected versions:
["0.1.0", "0.2.3", "0.2.4", "0.2.5", "0.2.6", "0.2.7", "0.2.8", "0.3.0", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.4.5", "0.4.6", "0.4.7", "0.4.8", "0.4.9", "0.5.0", "0.5.1", "0.5.2", "0.5.3", "0.6.0"]
Secure versions:
[0.6.1, 0.6.2, 0.6.3]
Recommendation:
Update to version 0.6.3.
Regular Expression Denial of Service
Published date: 2016-06-16
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Coordinating vendor: ^Lift Security
negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa.
The header for Accept-Language
, when parsed by negotiator is vulnerable to Regular Expression Denial of Service via a specially crafted string.
Timeline
- April 29th 2016 - Initial report to maintainers
- April 29th 2016 - Confirm receipt from maintainers
- May 1st 2016 - Fix confirmed
- May 5th 2016 - 0.6.1 published with fix
- June 16th 2016 - Advisory published (delay was to coordinate fixes in upstream frameworks, Koa and Express)
Affected versions:
["0.1.0", "0.2.3", "0.2.4", "0.2.5", "0.2.6", "0.2.7", "0.2.8", "0.3.0", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.4.5", "0.4.6", "0.4.7", "0.4.8", "0.4.9", "0.5.0", "0.5.1", "0.5.2", "0.5.3", "0.6.0"]
Secure versions:
[0.6.1, 0.6.2, 0.6.3]
Recommendation:
Upgrade to at least version 0.6.1
Express users should update to Express 4.14.0 or greater. If you want to see if you are using a vulnerable call, a quick grep for the `acceptsLanguages` function call in your application will tell you if you are using this functionality.
26 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 0.6.3 | MIT | 2022-01-23 - 01:50 | over 1 year | |
| 0.6.2 | MIT | 2019-04-30 - 00:30 | over 4 years | |
| 0.6.1 | MIT | 2016-05-03 - 04:47 | over 7 years | |
| 0.6.0 | MIT | 2 | 2015-09-30 - 01:21 | about 8 years |
| 0.5.3 | MIT | 2 | 2015-05-11 - 02:19 | over 8 years |
| 0.5.2 | MIT | 2 | 2015-05-07 - 05:18 | over 8 years |
| 0.5.1 | MIT | 2 | 2015-02-15 - 01:54 | over 8 years |
| 0.5.0 | MIT | 2 | 2014-12-19 - 04:05 | almost 9 years |
| 0.4.9 | MIT | 2 | 2014-10-15 - 04:39 | almost 9 years |
| 0.4.8 | MIT | 2 | 2014-09-28 - 21:46 | about 9 years |
| 0.4.7 | MIT | 2 | 2014-06-24 - 22:32 | over 9 years |
| 0.4.6 | MIT | 2 | 2014-06-11 - 19:36 | over 9 years |
| 0.4.5 | MIT | 2 | 2014-05-29 - 15:53 | over 9 years |
| 0.4.4 | MIT | 2 | 2014-05-29 - 15:19 | over 9 years |
| 0.4.3 | MIT | 2 | 2014-04-16 - 14:12 | over 9 years |
| 0.4.2 | MIT | 2 | 2014-03-01 - 03:06 | over 9 years |
| 0.4.1 | MIT | 2 | 2014-01-16 - 17:02 | over 9 years |
| 0.4.0 | MIT | 2 | 2014-01-09 - 15:23 | over 9 years |
| 0.3.0 | MIT | 2 | 2013-10-18 - 20:12 | almost 10 years |
| 0.2.8 | MIT | 2 | 2013-09-19 - 18:33 | about 10 years |
| 0.2.7 | MIT | 2 | 2013-08-11 - 04:12 | about 10 years |
| 0.2.6 | MIT | 2 | 2013-06-05 - 14:20 | over 10 years |
| 0.2.5 | MIT | 2 | 2012-08-11 - 18:16 | about 11 years |
| 0.2.4 | MIT | 2 | 2012-06-02 - 21:48 | over 11 years |
| 0.2.3 | MIT | 2 | 2012-04-24 - 21:37 | over 11 years |
| 0.1.0 | MIT | 2 | 2012-01-26 - 17:25 | over 11 years |