CVE-2017-16119
regular expression denial of service vulnerability in fresh (npm)

regular expression denial of service No known exploit Fixable By Resolved Security

What is CVE-2017-16119 About?

This vulnerability affects versions of `fresh` and is a regular expression denial of service (ReDoS) that is triggered by parsing specially crafted user input. It can cause the application's event loop to block, leading to a denial of service. Exploiting this vulnerability is straightforward, requiring only a malicious input string.

Affected Software

fresh <0.5.2

Technical Details

The regular expression denial of service (ReDoS) vulnerability in affected versions of the fresh module occurs during the parsing of user-supplied input that is evaluated against an inefficiently constructed regular expression. When an attacker provides a carefully crafted string with repeating patterns, the regex engine may exhibit catastrophic backtracking. This computational explosion consumes significant CPU resources, causing the application's event loop to become unresponsive or blocked for an extended period. This effectively prevents the server from processing other requests, leading to a denial of service condition. The specific impact depends on the duration of the block and the rate at which malicious requests are sent.

What is the Impact of CVE-2017-16119?

Successful exploitation may allow attackers to render the application unresponsive, leading to a denial of service (DoS) and impacting system availability for legitimate users.

What is the Exploitability of CVE-2017-16119?

Exploitation of this vulnerability is of low complexity. It typically requires no authentication or specific privileges, as attackers only need to provide specially crafted user input to an application that utilizes the vulnerable fresh library. The attack is remote, as it can be initiated by sending a malicious string via network requests. Prerequisites include an application using a vulnerable version of fresh where user input is processed. There are no special conditions beyond the input being fed into the module's parsing logic. The risk of exploitation is high, especially for public-facing applications that do not adequately validate or limit the length of user-supplied input before passing it to the fresh module.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2017-16119?

A Fix by Resolved Security Exists!
See how we help you strengthen security with automated backported fixes for your libraries.

About the Fix from Resolved Security

None

Available Upgrade Options

  • fresh
    • <0.5.2 → Upgrade to 0.5.2

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2017-16119?

Similar Vulnerabilities: CVE-2023-28155 , CVE-2023-28156 , CVE-2023-28157 , CVE-2023-28158 , CVE-2023-26136

All Rights reserved 2025
Privacy Policy