CVE-2016-10539 — Regular Expression Denial of Service in negotiator

Description

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string.

How to fix CVE-2016-10539

To remediate CVE-2016-10539, upgrade the affected package to a fixed version below.

—upgrade to 0.6.1-1 or later
—upgrade to 0.6.1 or later

Is CVE-2016-10539 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.6.1-1
from 0, < 0.6.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (4)

ADVISORYgithub.com/advisories/GHSA-7mc5-chhp-fmc3
ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-10539
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-10539
WEBwww.npmjs.com/advisories/106