CVE-2022-29167
Denial of Service vulnerability in hawk (npm)
What is CVE-2022-29167 About?
This vulnerability in the Hawk authentication scheme, specifically in `Hawk.utils.parseHost()`, allows for a Regular Expression Denial of Service (ReDoS) attack. A crafted `Host` header can cause the regular expression to consume exponential computation time, leading to a denial of service. Exploitation is relatively easy by sending a malformed `Host` header.
Affected Software
Technical Details
The Hawk authentication scheme, which provides mechanisms for authenticated HTTP requests, uses a regular expression within its Hawk.utils.parseHost() function to parse the Host HTTP header. This regular expression is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. An attacker can craft a Host header containing a specially designed string that, while matching the regex, causes the regex engine to backtrack excessively. As more characters are added to this malicious input, the computation time required for parsing increases exponentially, leading to a significant consumption of CPU resources. This resource exhaustion can render the server unresponsive, resulting in a denial of service.
What is the Impact of CVE-2022-29167?
Successful exploitation may allow attackers to consume excessive server resources, leading to a denial of service for the affected application or server, impacting availability and responsiveness.
What is the Exploitability of CVE-2022-29167?
Exploitation involves sending an HTTP request with a specially crafted Host header to an application using the vulnerable Hawk library. The complexity is low; it requires constructing a malicious string that triggers the ReDoS condition in the regular expression. No authentication is explicitly required, as the Host header is part of standard HTTP requests that can be sent unauthenticated. No specific privileges are needed on the target system. This is a remote exploitation vulnerability, as it's delivered via HTTP requests. The special condition is that the application must be using an affected version of the Hawk library (Hawk.utils.parseHost()) and expose HTTP request processing to untrusted input. The risk is higher for publicly accessible endpoints that use Hawk for authentication, as they are exposed to unauthenticated malicious requests.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-29167?
About the Fix from Resolved Security
Available Upgrade Options
- hawk
- <9.0.1 → Upgrade to 9.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/mozilla/hawk
- https://nvd.nist.gov/vuln/detail/CVE-2022-29167
- https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq
- https://github.com/mozilla/hawk/pull/286
- https://osv.dev/vulnerability/GHSA-44pw-h2cw-w3vq
- https://github.com/mozilla/hawk/commit/d10d72ca82db967f6c5fcf866ff78e3ca25ce1ab
- https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq
- https://github.com/mozilla/hawk/pull/286
What are Similar Vulnerabilities to CVE-2022-29167?
Similar Vulnerabilities: CVE-2022-3786 , CVE-2021-39144 , CVE-2020-7661 , CVE-2019-10744 , CVE-2018-3721
