JFrog Security Research
< Back

XRAY-209780 - hawk ReDoS

CVE-2022-29167 | CVSS 5.9

JFrog Severity:medium

Discovered ByDenys Vozniukof the JFrog Security Research Team

Published 30 May, 2022 | Last updated 30 May, 2022

Exponential ReDoS in hawk leads to denial of service


hawk (,9.0.1), fixed in 9.0.1

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the hawk npm package, when an attacker is able to supply arbitrary input to the Hawk.utils.parseHost method

'\t:0\r\n' + '\t\r\n\t\r\n'.repeat(i) + '\rA'

No mitigations are supplied for this issue


< Back