CVE-2017-16136
regular expression denial of service vulnerability in method-override (npm)
What is CVE-2017-16136 About?
This vulnerability is a regular expression denial of service (ReDoS) in the `method-override` module. It occurs when untrusted user input, specifically in the `X-HTTP-Method-Override` header, is processed by a vulnerable regular expression. Exploitation can lead to excessive CPU consumption and service unavailability, and it is relatively easy to trigger.
Affected Software
- method-override
- >1.0.2, <2.3.10
- >2.0.0, <2.3.10
Technical Details
The method-override module in affected versions contains a regular expression that is susceptible to a ReDoS vulnerability. This vulnerability is triggered when an attacker supplies a specially crafted, complex string in the X-HTTP-Method-Override HTTP header. The regular expression used internally by the module for parsing or validation exhibits catastrophic backtracking when faced with such input. This causes the regular expression engine to consume disproportionately large amounts of CPU time, iterating through an exponential number of possible matches. Consequently, the Node.js process handling the request becomes unresponsive, leading to a denial of service for that particular request and potentially for the entire application, depending on the server's concurrency model.
What is the Impact of CVE-2017-16136?
Successful exploitation may allow attackers to cause the server to consume excessive CPU resources, leading to application unresponsiveness and a denial of service.
What is the Exploitability of CVE-2017-16136?
Exploitation of this vulnerability is of low complexity. It requires an attacker to send an HTTP request with a specially crafted X-HTTP-Method-Override header containing a malicious string designed to trigger catastrophic backtracking in the regular expression. No authentication is typically required, as this header is part of standard HTTP requests. The attack is remote, targeting a web server running the vulnerable method-override module. No special privileges are needed. The main condition is that the module must be in use, and the server must process the X-HTTP-Method-Override header. The ease of sending a malformed header and the potential for a simple string to cause significant impact increase the exploitability risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-16136?
Available Upgrade Options
- method-override
- >2.0.0, <2.3.10 → Upgrade to 2.3.10
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/expressjs/method-override
- https://nodesecurity.io/advisories/538
- https://osv.dev/vulnerability/GHSA-qx2f-477c-35rq
- https://nvd.nist.gov/vuln/detail/CVE-2017-16136
- https://github.com/expressjs/method-override/commit/4c58835a61fdf7a8e070d6f8ecd5379a961d0987
- https://www.npmjs.com/advisories/538
What are Similar Vulnerabilities to CVE-2017-16136?
Similar Vulnerabilities: CVE-2016-2515 , CVE-2018-16469 , CVE-2018-3728 , CVE-2017-1000007 , CVE-2017-5942
