CVE-2016-10539
Denial of service vulnerability in negotiator (npm)

Denial of service No known exploit Fixable By Resolved Security

What is CVE-2016-10539 About?

This vulnerability is a regular expression denial of service (ReDoS), which affects versions of the `negotiator` package. It can lead to a denial of service by consuming excessive CPU resources when parsing a specially crafted `Accept-Language` header. Exploiting this vulnerability is relatively easy, requiring only a malicious HTTP request.

Affected Software

negotiator <0.6.1

Technical Details

The negotiator package is vulnerable to a regular expression denial of service stemming from an inefficient regular expression used in processing Accept-Language headers. An attacker can craft a specific Accept-Language header value that, when processed by the vulnerable regular expression, causes it to enter into a catastrophic backtracking state. This leads to a significant increase in processing time and CPU utilization for even small input sizes, effectively hanging the application and resulting in a denial of service. The attack vector involves sending an HTTP request with the malicious header to the affected server.

What is the Impact of CVE-2016-10539?

Successful exploitation may allow attackers to disrupt service availability, causing the application to become unresponsive and potentially leading to a denial of service.

What is the Exploitability of CVE-2016-10539?

Exploitation of this ReDoS vulnerability is of low complexity. It requires no authentication or specific privileges, as it targets how the server processes standard HTTP headers. The attack is remote, requiring only a malicious HTTP request to the vulnerable endpoint. The primary risk factor is the public exposure of the affected application, as any unauthenticated user can trigger the vulnerability by sending a specially crafted Accept-Language header. No special conditions beyond the presence of the vulnerable negotiator version are necessary.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2016-10539?

A Fix by Resolved Security Exists!
Fix open-source vulnerabilities without upgrading your dependencies.

About the Fix from Resolved Security

This patch updates the regular expression to more strictly parse language codes, preventing invalid or malicious input from being interpreted as valid. By tightening the accepted character set, it addresses an input validation vulnerability in CVE-2016-10539 that could allow attackers to bypass security controls or trigger unexpected application behavior.

Available Upgrade Options

  • negotiator
    • <0.6.1 → Upgrade to 0.6.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2016-10539?

Similar Vulnerabilities: CVE-2016-1000232 , CVE-2017-16118 , CVE-2013-4002 , CVE-2015-6420

All Rights reserved 2025
Privacy Policy