CVE-2017-16118
Denial of service vulnerability in forwarded (npm)
What is CVE-2017-16118 About?
The `forwarded` package is vulnerable to regular expression denial of service (ReDoS) when parsing specially crafted user input. This can lead to significant performance degradation or application unresponsiveness. Exploitation requires sending malicious input to the application.
Affected Software
Technical Details
Affected versions of the forwarded package contain a regular expression that is vulnerable to catastrophic backtracking. When an attacker supplies specially crafted user input, particularly strings that cause the regex engine to explore an excessive number of paths, the regular expression can take an extremely long time to evaluate. This consumption of CPU resources by the regex engine leads to a denial of service, as the application becomes unresponsive while attempting to process the malicious input. The attack vector is typically through HTTP headers (such as X-Forwarded-For) or other user-controlled input that the forwarded package is designed to parse.
What is the Impact of CVE-2017-16118?
Successful exploitation may allow attackers to disrupt service availability, causing the application to become unresponsive and potentially leading to a denial of service.
What is the Exploitability of CVE-2017-16118?
Exploitation of this ReDoS vulnerability is of low complexity. It generally requires no authentication or specific privileges, as it targets how the forwarded package processes user-supplied input, often from HTTP headers. The attack is remote, requiring an attacker to send a specially crafted string (e.g., in a X-Forwarded-For header) to the vulnerable application. The primary prerequisite is the use of the vulnerable forwarded version within an application exposed to untrusted input. Risk factors include public-facing web applications that rely on this package for processing forwarded headers. No special conditions are noted beyond the malicious input itself.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-16118?
Available Upgrade Options
- forwarded
- <0.1.2 → Upgrade to 0.1.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-mpcf-4gmh-23w8
- https://nvd.nist.gov/vuln/detail/CVE-2017-16118
- https://nodesecurity.io/advisories/527
- https://github.com/advisories/GHSA-mpcf-4gmh-23w8
- https://www.npmjs.com/advisories/527
- http://www.securityfocus.com/bid/104427
- http://www.securityfocus.com/bid/104427
What are Similar Vulnerabilities to CVE-2017-16118?
Similar Vulnerabilities: CVE-2016-10539 , CVE-2016-1000232 , CVE-2013-4002 , CVE-2015-6420
