Impact
Hawk used a regular expression to parse Host HTTP header (Hawk.utils.parseHost()), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially.
Patches
parseHost() was patched in 9.0.1 to use built-in URL class to parse hostname instead.
Workarounds
Hawk.authenticate() accepts options argument. If that contains host and port, those would be used instead of a call to utils.parseHost().
References
Pull request with a fix
For more information
If you have any questions or comments about this advisory:
Credits
JFrog Security Research
Impact
Hawk used a regular expression to parse
HostHTTP header (Hawk.utils.parseHost()), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially.Patches
parseHost()was patched in9.0.1to use built-inURLclass to parse hostname instead.Workarounds
Hawk.authenticate()acceptsoptionsargument. If that containshostandport, those would be used instead of a call toutils.parseHost().References
Pull request with a fix
For more information
If you have any questions or comments about this advisory:
Credits
JFrog Security Research