CVE-2016-10539 (High) detected in negotiator-0.3.0.tgz

[mend-bolt-for-github[bot]]

CVE-2016-10539 - High Severity Vulnerability

Vulnerable Library - negotiator-0.3.0.tgz

HTTP content negotiation

Library home page: https://registry.npmjs.org/negotiator/-/negotiator-0.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-inspector/node_modules/negotiator/package.json

Dependency Hierarchy: - node-debug-0.1.0.tgz (Root Library) - node-inspector-0.6.2.tgz - express-3.4.8.tgz - connect-2.12.0.tgz - :x: **negotiator-0.3.0.tgz** (Vulnerable Library)

Found in HEAD commit: e51ac509e11100b261cb1c0ba3c578d747ec913a

Found in base branch: master

Vulnerability Details

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string.

Publish Date: 2018-05-31

URL: CVE-2016-10539

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/106

Release Date: 2018-05-31

Fix Resolution: 0.6.1

---

Step up your Open Source Security Game with WhiteSource here

[github-actions[bot]]

👋 Thanks for reporting!