And old version used to have a Re-DoS report

kornelski / http-cache-semantics

RFC 7234 in JavaScript. Parses HTTP headers to correctly compute cacheability of responses, even in complex cases

http://httpwg.org/specs/rfc7234.html

BSD 2-Clause "Simplified" License

244 stars 27 forks source link

And old version used to have a Re-DoS report #48

Closed matteematt closed 2 weeks ago

matteematt commented 2 weeks ago

https://github.com/advisories/GHSA-rc47-6667-2j5j

kornelski commented 2 weeks ago

This does not apply to the latest version, which has removed the offending regex.

Snyk/GitHub/NPM have a problem of indiscriminately spamming people with scary "high" severity reports, but the real-world impact of ReDoS is questionable. It's not RCE or disclosure of any private info, just some CPU time wasted if someone manages to send long enough specially crafted headers.

It has been fixed anyway, just update your dependencies.