Severity: high

    Regular Expression Denial of Service

    negotiator

    Overview

    Affected versions of negotiator are vulnerable to regular expression denial of service attacks, which trigger upon parsing a specially crafted Accept-Language header value.

    Remediation

    Update to version 0.6.1 or later.

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. published

      Advisory published
      Jun 16th, 2016
    2. reported

      Initial report by Adam Baldwin
      May 4th, 2016