vulnerability

Debian: CVE-2016-10539: node-negotiator -- security update

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:N/A:P)

Published

May 31, 2018

Added

Jul 30, 2024

Modified

Mar 30, 2026

Description

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string.

Solution

debian-upgrade-node-negotiator

References

CVE-2016-10539
https://attackerkb.com/topics/CVE-2016-10539
CWE-20
CWE-400
EUVD-EUVD-2018-0538
https://euvd.enisa.europa.eu/vulnerability/EUVD-2018-0538

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report