method-override ReDoS when untrusted user input passed into X-HTTP-Method-Override header
- Severity:
- High
Description
Affected versions of method-override are vulnerable to a regular expression denial of service vulnerability when untrusted user input is passed into the X-HTTP-Method-Override header.
Recommendation
Update the method-override package to the latest compatible version. Followings are version details:
Affected version(s): **>= 2.0.0, < 2.3.10 = 1.0.2** - Patched version(s): 2.3.10
References
Related Issues
- matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal - CVE-2024-50336
- webpack-dev-server users' source code may be stolen when they access a malicious web site - CVE-2025-30359
- Vega allows Cross-site Scripting via the vlSelectionTuples function (GHSA-mp7w-mhcv-673j) - CVE-2025-25304
- Vite before v2.9.13 vulnerable to directory traversal via crafted URL to victim's service - CVE-2022-35204
- Tags:
- npm
- method-override
Anything's wrong? Let us know Last updated on September 11, 2023