CVE-2016-2515
regular expression denial of service vulnerability in hawk (npm)
What is CVE-2016-2515 About?
Versions of `hawk` prior to 3.1.3 and 4.x prior to 4.1.1 are affected by a regular expression denial of service (ReDoS). This vulnerability is triggered by excessively long headers and URIs, causing the application to become unresponsive. The exploit is relatively easy to trigger with crafted HTTP requests.
Affected Software
- hawk
- >4.0.0, <4.1.1
- <3.1.3
Technical Details
The hawk module, in vulnerable versions, utilizes regular expressions that are susceptible to catastrophic backtracking when processing overly long or complex HTTP headers and URIs. When an attacker sends an HTTP request with an unusually long or specially crafted header (e.g., Authorization header containing Hawk credentials) or URI, the underlying regular expression engine enters a state where it evaluates an exponential number of possible matching paths. This exponential complexity consumes a disproportionate amount of CPU resources, causing the Node.js process to hang or become extremely slow. This resource exhaustion leads to a denial of service for legitimate requests as the server becomes unresponsive.
What is the Impact of CVE-2016-2515?
Successful exploitation may allow attackers to consume excessive CPU resources, causing the application to hang or become unresponsive, resulting in a denial of service.
What is the Exploitability of CVE-2016-2515?
Exploitation of this vulnerability is of low complexity. An attacker can remotely trigger this ReDoS by crafting HTTP requests with excessively long or specially malformed headers (such as Authorization or URI) that are processed by the hawk module. No authentication is required for unauthenticated endpoints, but authenticated endpoints would require valid Hawk authentication to trigger the vulnerability within the authenticated context. The attack is remote, and no specific privileges are necessary beyond the ability to send HTTP requests to the target server. The primary constraint is that the server must be using a vulnerable version of hawk. The simplicity of constructing the malicious request and the potential for severe impact on service availability increase the likelihood of exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2016-2515?
Available Upgrade Options
- hawk
- <3.1.3 → Upgrade to 3.1.3
- hawk
- >4.0.0, <4.1.1 → Upgrade to 4.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/hueniverse/hawk/issues/168
- http://www.openwall.com/lists/oss-security/2016/02/20/2
- http://www.openwall.com/lists/oss-security/2016/02/20/1
- https://www.npmjs.com/advisories/77
- http://www.openwall.com/lists/oss-security/2016/02/20/2
- https://github.com/advisories/GHSA-jcpv-g9rr-qxrc
- https://nvd.nist.gov/vuln/detail/CVE-2016-2515
- https://github.com/hueniverse/hawk
- https://github.com/hueniverse/hawk/issues/168
- http://www.openwall.com/lists/oss-security/2016/02/20/1
What are Similar Vulnerabilities to CVE-2016-2515?
Similar Vulnerabilities: CVE-2017-16136 , CVE-2018-16469 , CVE-2018-3728 , CVE-2017-1000007 , CVE-2017-5942
