CVE-2017-16138
Regular Expression Denial of Service vulnerability in mime (npm)
What is CVE-2017-16138 About?
This vulnerability is a Regular Expression Denial of Service (ReDoS) in affected versions of the `mime` library. It occurs when performing a mime lookup on untrusted user input, leading to excessive CPU consumption. Exploitation is triggered by providing specially crafted input to the mime lookup function.
Affected Software
- mime
- <1.4.1
- >2.0.0, <2.0.3
Technical Details
The mime library in affected versions contains an inefficient regular expression used during mime type lookups. When untrusted user input, specifically tailored to cause catastrophic backtracking in this regex, is passed to the library's lookup function, the regular expression engine consumes an exponential amount of CPU resources. This high CPU usage can render the application unresponsive, effectively causing a Denial of Service.
What is the Impact of CVE-2017-16138?
Successful exploitation may allow attackers to cause excessive CPU consumption, making the application unresponsive, and leading to a denial of service for users.
What is the Exploitability of CVE-2017-16138?
Exploitation involves providing a specially crafted string as input to the mime lookup function, which then triggers the inefficient regular expression. The complexity is low to moderate, requiring knowledge of ReDoS attack patterns. No authentication is required, as the vulnerability affects the processing of input. This is typically a remote exploitation scenario, if user-supplied input dictates a mime lookup. The primary risk factor is processing untrusted input that is then used in contexts performing mime type determination with the vulnerable library.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-16138?
About the Fix from Resolved Security
The patch changes the regular expression to ensure it only removes the shortest prefix ending with a dot, slash, or backslash, preventing the extension from being an empty string when a filename starts with one of these characters. This fixes CVE-2017-16138 by preventing attackers from bypassing security checks through paths like ".hiddenfile", which previously resulted in an empty extension and potentially led to an incorrect or unsafe MIME type being returned.
Available Upgrade Options
- mime
- <1.4.1 → Upgrade to 1.4.1
- mime
- >2.0.0, <2.0.3 → Upgrade to 2.0.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nodesecurity.io/advisories/535
- https://github.com/broofa/node-mime/issues/167
- https://github.com/broofa/mime
- https://github.com/broofa/mime/commit/855d0c4b8b22e4a80b9401a81f2872058eae274d
- https://github.com/broofa/node-mime/issues/167
- https://nvd.nist.gov/vuln/detail/CVE-2017-16138
- https://github.com/broofa/mime/commit/1df903fdeb9ae7eaa048795b8d580ce2c98f40b0
- https://osv.dev/vulnerability/GHSA-wrvr-8mpx-r7pp
What are Similar Vulnerabilities to CVE-2017-16138?
Similar Vulnerabilities: CVE-2016-10537 , CVE-2017-20165 , CVE-2018-1107 , CVE-2018-16461 , CVE-2019-8331
