What the vulnerability does

01Description

charset 1.0.0 and below are vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds. Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= option the default header max length is 80kb, so the impact of the ReDoS is relatively low.

Key dates

02Disclosure timeline

June 7, 2018 CVE published
September 16, 2024 Record updated