QwikSec

Security Database

CVE

CWE

Training

CVE-2023-26103

Published: Feb 25, 2023

Modified: Mar 11, 2025

PUBLISHED

CVSS v3.1

5.3

MEDIUM

Description

Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server.

Vendor	Product	Versions
n/a	deno	affected `0 - < 1.31.0`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

References

https://security.snyk.io/vuln/SNYK-RUST-DENO-3315970

https://github.com/denoland/deno/blob/2b247be517d789a37e532849e2e40b724af0918f/ext/http/01_http.js%23L395-L409

https://github.com/denoland/deno/pull/17722

https://github.com/denoland/deno/commit/cf06a7c7e672880e1b38598fe445e2c50b4a9d06

https://github.com/denoland/deno/releases/tag/v1.31.0

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.