7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16098

GHSA ID

GHSA-9cp3-fh5x-xfcj

EPSS Score

0.55097%

CWE

CWE-400

Published

8/9/2018

Updated

3/31/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-16098

CVE-2017-16098: Regular Expression Denial of Service in charset

Affected versions of charset are susceptible to a regular expression denial of service.

The amplification on this vulnerability is relatively low - it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters in length.

If node was compiled using the -DHTTP_MAX_HEADER_SIZE however, the impact of the vulnerability can be significant, as the primary limitation for the vulnerability is the default max HTTP header length in node.

Recommendation

Update to version 1.0.1 or later.

(GitHub Advisory)

7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16098

GHSA ID

GHSA-9cp3-fh5x-xfcj

EPSS Score

0.55097%

CWE

CWE-400

Published

8/9/2018

Updated

3/31/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
charset	npm	< 1.0.1	1.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the CHARTSET_RE regular expression in index.js, which was modified in the patch to add quantifier limits ({0,10} for spaces and {1,100} for charset strings). The original regex's unbounded quantifiers (\s* and *) made it susceptible to ReDoS via crafted long inputs. The charset function directly uses this regex for header parsing, making it the clear vulnerable entry point. The commit's test cases in performance.test.js explicitly validate these limits, confirming the function's role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `***rs*t` *r* sus**pti*l* to * r**ul*r *xpr*ssion **ni*l o* s*rvi**. T** *mpli*i**tion on t*is vuln*r**ility is r*l*tiv*ly low - it t*k*s *roun* * s**on*s *or t** *n*in* to *x**ut* on * m*li*ious input w*i** is **,*** ***r**t*rs

Reasoning

T** vuln*r**ility st*ms *rom t** ***RTS*T_R* r**ul*r *xpr*ssion in in**x.js, w*i** w*s mo*i*i** in t** p*t** to *** qu*nti*i*r limits ({*,**} *or sp***s *n* {*,***} *or ***rs*t strin*s). T** ori*in*l r***x's un*oun*** qu*nti*i*rs (\s* *n* *) m*** it

7.5

Basic Information

Concerned about an active attack path?

CVE-2017-16098: Regular Expression Denial of Service in charset

Recommendation

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI