Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2023-26104

CVE-2023-26104:
Denial of Service vulnerability in lite-web-server

7.5

CVSS Score

Basic Information

CVE ID
CVE-2023-26104
GHSA ID
GHSA-8237-3q5g-99fv
EPSS Score
-
CWE
CWE-400
Published
2/25/2023
Updated
2/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
lite-web-servernpm<= 1.2.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from line 274 of WebServer.js where decodeURIComponent() is directly applied to req.url. This function throws URIError when encountering invalid encoded URI components, which isn't caught by any try/catch block. Attackers can exploit this by sending specially crafted URLs with invalid encoding, causing unhandled exceptions that terminate the server process. The advisory explicitly references this line, and the lack of error handling around URI decoding is a well-known pattern for DoS vulnerabilities in Node.js servers.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* t** p**k*** lit*-w**-s*rv*r *r* vuln*r**l* to **ni*l o* S*rvi** (*oS) w**n *n *tt**k*r s*n*s *n *TTP r*qu*st *n* in*lu**s *ontrol ***r**t*rs t**t t** ***o**URI() *un*tion is un**l* to p*rs*.

Reasoning

T** vuln*r**ility st*ms *rom lin* *** o* W**S*rv*r.js w**r* ***o**URI*ompon*nt() is *ir**tly *ppli** to r*q.url. T*is *un*tion t*rows URI*rror w**n *n*ount*rin* inv*li* *n*o*** URI *ompon*nts, w*i** isn't **u**t *y *ny try/**t** *lo*k. *tt**k*rs **n