CVE-2016-10539: Improper Input Validation

October 9, 2018 (updated January 8, 2021)

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for “Accept-Language”, when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string.

References

github.com/advisories/GHSA-7mc5-chhp-fmc3
nodesecurity.io/advisories/106
nvd.nist.gov/vuln/detail/CVE-2016-10539
www.npmjs.com/advisories/106

Detect and mitigate CVE-2016-10539 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →