Oak Server has ReDoS in x-forwarded-proto and x-forwarded-for headers
With specially crafted value of the x-forwarded-proto or x-forwarded-for headers, it's possible to significantly slow down an oak server.
Advisories for Npm/@Oakserver/Oak package
2025
2024
Path traversal in oak allows transfer of hidden files within the served root directory
By default oak does not allow transferring of hidden files with Context.send API. However, this can be bypassed by encoding / as its URL encoded form %2F.