Bug 1500250 - nodejs-forwarded: Regular expression Denial of Service
Summary: nodejs-forwarded: Regular expression Denial of Service
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1500251 1516725 1516726
Blocks: 1500252
TreeView+ depends on / blocked
 
Reported: 2017-10-10 09:35 UTC by Andrej Nemec
Modified: 2019-09-29 14:23 UTC (History)
21 users (show)

Fixed In Version: nodejs-forwarded 0.1.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-02-16 02:54:15 UTC


Attachments (Terms of Use)

Description Andrej Nemec 2017-10-10 09:35:51 UTC
The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

References:

https://nodesecurity.io/advisories/527

Upstream patch:

https://github.com/jshttp/forwarded/commit/d469116eda4931fbe1c0ccb29497b35930bfa328

Comment 1 Andrej Nemec 2017-10-10 09:37:07 UTC
Created nodejs-forwarded tracking bugs for this issue:

Affects: fedora-all [bug 1500251]

Comment 2 Mark Knowles 2017-11-23 10:33:44 UTC
Created nodejs-forwarded tracking bugs for this issue:

Affects: openshift-1 [bug 1516726]

Comment 4 Jason Shepherd 2018-01-12 05:45:37 UTC
Could not find any usages of vulnerable Express API calls mentioned in Express security notification. "This may affect your application if the following APIs are used: req.host, req.hostname, req.ip, req.ips, req.protocol."
https://expressjs.com/en/changelog/4x.html#4.16.0

Marking RHMAP as notaffected.


Note You need to log in before you can comment on or make changes to this bug.