Upstream information

CVE-2023-26103 at MITRE

Description

Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having important severity.

CVSS v3 Scores
  CNA (Snyk) National Vulnerability Database
Base Score 5.3 7.5
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network Network
Attack Complexity Low Low
Privileges Required None None
User Interaction None None
Scope Unchanged Unchanged
Confidentiality Impact None None
Integrity Impact None None
Availability Impact Low High
CVSSv3 Version 3.1 3.1
SUSE Bugzilla entry: 1208698 [RESOLVED / FIXED]

No SUSE Security Announcements cross referenced.


SUSE Timeline for this CVE

CVE page created: Sat Feb 25 07:00:16 2023
CVE page last modified: Wed Mar 12 18:58:11 2025