CVE-2016-2515 — Regular Expression Denial of Service in hawk

Description

Versions of `hawk` prior to 3.1.3, or 4.x prior to 4.1.1 are affected by a regular expression denial of service vulnerability related to excessively long headers and URI's. ## Recommendation Update to hawk version 4.1.1 or later.

How to fix CVE-2016-2515

To remediate CVE-2016-2515, upgrade the affected package to a fixed version below.

npm/hawk—upgrade to 4.1.1 or later

Is CVE-2016-2515 being exploited?

Moderate — EPSS is 5.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 4.0.0, < 4.1.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (9)

ADVISORYgithub.com/advisories/GHSA-jcpv-g9rr-qxrc
ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-2515
PATCHgithub.com/hueniverse/hawk
WEBbugzilla.redhat.com/show_bug.cgi?id=1309721
WEB