Home > Vulnerability Database > CVE-2023-26103

Mend.io Vulnerability Database

CVE-2023-26103

Good to know:

Date: February 25, 2023

Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server.

Language: RUST

Severity Score

5.3

Related Resources (9)

Url: https://github.com/denoland/deno/commit/cf06a7c7e672880e1b38598fe445e2c50b4a9d06

Url: https://github.com/denoland/deno/blob/2b247be517d789a37e532849e2e40b724af0918f/ext/http/01_http.js#L395-L409

Url: https://github.com/denoland/deno/pull/17722

Url: https://github.com/denoland/deno

Url: https://github.com/denoland/deno/security/advisories/GHSA-jc97-h3h9-7xh6

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-26103

Url: https://github.com/denoland/deno/blob/2b247be517d789a37e532849e2e40b724af0918f/ext/http/01_http.js%23L395-L409

Url: https://github.com/denoland/deno/releases/tag/v1.31.0

Url: https://www.mend.io/vulnerability-database/CVE-2023-26103

Severity Score

5.3

Weakness Type (CWE)

Inefficient Regular Expression Complexity

CWE-1333

Top Fix

Upgrade Version

Upgrade to version deno - 1.31.0

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2023-26103

Good to know:

Date: February 25, 2023

Language: RUST

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?