npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser

websocket-extensions npm module prior to 0.1.4 allows Denial of Service DoS via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other...

Node.js third-party modules: [is-my-json-valid] ReDoS via 'style' format

I would like to report a ReDoS in is-my-json-valid It allows cause a denial of service if schema uses the built-in style format. Module module name: is-my-json-valid version: 2.20.1 npm page: https://www.npmjs.com/package/is-my-json-valid Module Description A JSONSchema validator that uses code...

Denial of Service in gajus/url-regexp

Overview RegExp object to match and validate URLs. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS. An attacker providing a long URL to validate or replace function will cause a Denial of Service attack. PoC node var regex = require"url-regexp";...

Regular Expression Denial Of Service (ReDoS)

wappalyzer is vulnerable to regular expression denial of service. A catastrophic backtracking vulnerability in the regular expression used to parse URL allows an attacker to cause excessive resource consumption which can lead to a browser crash...

EulerOS 2.0 SP2 : python (EulerOS-SA-2020-1646)

According to the versions of the python packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct...

Regular Expression Denial of Service in websocket-extensions (NPM package)

Impact The ReDoS flaw allows an attacker to exhaust the server's capacity to process incoming requests by sending a WebSocket handshake request containing a header of the following form: Sec-WebSocket-Extensions: a; b="\c\c\c\c\c\c\c\c\c\c ... That is, a header containing an unclosed string...

GHSA-G6WQ-QCWM-J5G2 Regular Expression Denial of Service in websocket-extensions (RubyGem)

Impact The ReDoS flaw allows an attacker to exhaust the server's capacity to process incoming requests by sending a WebSocket handshake request containing a header of the following form: Sec-WebSocket-Extensions: a; b="\c\c\c\c\c\c\c\c\c\c ... That is, a header containing an unclosed string...

Regular Expression Denial of Service in websocket-extensions (RubyGem)

Impact The ReDoS flaw allows an attacker to exhaust the server's capacity to process incoming requests by sending a WebSocket handshake request containing a header of the following form: Sec-WebSocket-Extensions: a; b="\c\c\c\c\c\c\c\c\c\c ... That is, a header containing an unclosed string...

Regular Expression Denial Of Service (ReDoS)

url-regex is vulnerable to Regular Expression Denial of Service ReDoS. The attackers can send requests with very long strings to String.test to trigger an application crash by exhausting memory and high processing power...

Regular Expression Denial of Service in websocket-extensions (RubyGem)

Impact The ReDoS flaw allows an attacker to exhaust the server's capacity to process incoming requests by sending a WebSocket handshake request containing a header of the following form: Sec-WebSocket-Extensions: a; b="\c\c\c\c\c\c\c\c\c\c ... That is, a header containing an unclosed string...

FreeBSD : websocket-extensions -- ReDoS vulnerability (ca8327f7-a5a5-11ea-a860-08002728f74c)

Changelog : Remove a ReDoS vulnerability in the header parser CVE-2020-7663 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from the FreeBSD VuXML database : Copyright 2003-2020 Jacques Vidrine and contributors Redistribution and use in sourc...

Amazon Linux 2 : python, --advisory ALAS2-2020-1432 (ALAS-2020-1432)

The version of python installed on the remote host is prior to 2.7.18-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2020-1432 advisory. http.cookiejar.DefaultPolicy.domainreturnok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain:...

Regular Expression Denial Of Service (ReDoS)

websocket-extensions is vulnerable to regular expression denial of service ReDoS. The vulnerability exists in the regular expression used to parse quotes, allowing an unclosed string parameter value, of a repeating two-byte sequence of a backslash and another character, to parse in quadratic time...

Regular Expression Denial Of Service (ReDoS)

websocket-extensions is vulnerable to regular expression denial of service ReDoS. A regex backtracking is introduced due to the way the parser processes the Sec-WebSocket-Extensions header, using up quadratic time in a single-threaded server when an unclosed string parameter with repeating two-by...

Medium: python

Issue Overview: http.cookiejar.DefaultPolicy.domainreturnok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has anoth...

CVE-2020-7662

websocket-extensions npm module prior to 0.1.4 allows Denial of Service DoS via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other...

CVE-2020-7663

websocket-extensions ruby module prior to 0.1.5 allows Denial of Service DoS via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other...

CVE-2020-7662

websocket-extensions npm module prior to 0.1.4 allows Denial of Service DoS via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other...

CVE-2020-7662

CVE-2020-7662 affects the websocket-extensions npm module prior to 0.1.4. The vulnerability arises from the extension parser, which may enter exponential/regex backtracking on a header like Sec-WebSocket-Extensions with an unclosed string containing a repeating two-byte sequence, causing a Denial...

CVE-2020-7663

The CVE-2020-7663 issue affects the ruby-websocket-extensions library (prior to 0.1.5). The parser can take quadratic time when processing a Sec-WebSocket-Extensions header containing an unclosed string parameter value with a repeating two‑byte sequence (backslash and a character), enabling Regex...