CVE-2022-25881: http-cache-semantics vulnerable to Regular Expression Denial of Service

January 31, 2023 (updated February 1, 2023)

This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

References

github.com/advisories/GHSA-rc47-6667-2j5j
github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83
nvd.nist.gov/vuln/detail/CVE-2022-25881
security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332
security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783

Detect and mitigate CVE-2022-25881 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →