Miggo Logo

CVE-2017-16136: method-override ReDoS when untrusted user input passed into X-HTTP-Method-Override header

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.55082%
Published
7/24/2018
Updated
9/11/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
method-overridenpm= 1.0.22.3.10
method-overridenpm>= 2.0.0, < 2.3.102.3.10

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the header parsing logic in createHeaderGetter, which originally used a regex split on the entire header value. The commit diff shows this was replaced with a simple indexOf/trim operation to avoid regex processing. This matches the ReDoS vulnerability pattern where complex regex operations on untrusted input create denial-of-service risks. The patch specifically addresses this by eliminating the vulnerable regex split.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `m*t*o*-ov*rri**` *r* vuln*r**l* to * r**ul*r *xpr*ssion **ni*l o* s*rvi** vuln*r**ility w**n untrust** us*r input is p*ss** into t** `X-*TTP-M*t*o*-Ov*rri**` *****r. ## R**omm*n**tion Up**t* to v*rsion *.*.** or l*t*r

Reasoning

T** vuln*r**ility st*ms *rom t** *****r p*rsin* lo*i* in *r**t******r**tt*r, w*i** ori*in*lly us** * r***x split on t** *ntir* *****r v*lu*. T** *ommit *i** s*ows t*is w*s r*pl**** wit* * simpl* in**xO*/trim op*r*tion to *voi* r***x pro**ssin*. T*is