JFrog Security Research

XRAY-209780 - hawk ReDoS

CVE-2022-29167 | CVSS 5.9

JFrog Severity:medium

Published 30 May. 2022 | Last updated 30 May. 2022

Exponential ReDoS in hawk leads to denial of service


hawk (,9.0.1), fixed in 9.0.1

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the hawk npm package, when an attacker is able to supply arbitrary input to the Hawk.utils.parseHost method

'\t:0\r\n' + '\t\r\n\t\r\n'.repeat(i) + '\rA'

No mitigations are supplied for this issue