VYPR
← All advisories
Moderate severityNVD Advisory· Published Feb 25, 2023· Updated Mar 11, 2025

CVE-2023-26103

CVE-2023-26103

Description

Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Deno before 1.31.0 is vulnerable to ReDoS via crafted Connection/Upgrade headers in the upgradeWebSocket function.

CVE-2023-26103 describes a Regular Expression Denial of Service (ReDoS) vulnerability in the Deno runtime, affecting versions prior to 1.31.0. The root cause lies in the upgradeWebSocket function within ext/http/01_http.js. This function uses a regex pattern /s*,s*/ to split the Connection and Upgrade headers [1][4]. When a specially crafted header containing many commas and whitespace characters is supplied, the regex engine can encounter catastrophic backtracking, consuming CPU resources disproportionately to the input size [1][3].

To exploit this vulnerability, an attacker must be able to send HTTP requests to a Deno server that utilizes WebSocket upgrades. No authentication is required if the server endpoint is exposed publicly. The attack involves sending a crafted Connection or Upgrade header with a carefully constructed sequence of spaces and commas, which causes the regex matching to take exponential time to process [1][3]. This is a classic ReDoS attack vector, where a seemingly simple regex can be forced into a worst-case performance scenario by malicious input.

The impact of successful exploitation is a Denial of Service condition: the affected server process becomes unresponsive or significantly slowed while processing the malicious header. An attacker can tie up server resources, making the WebSocket server unavailable for legitimate requests. There is no data breach or code execution risk, but the attack can disrupt service availability [1][3].

Mitigation is straightforward: users should upgrade Deno to version 1.31.0 or later, as released on February 23, 2023 [2]. The fix addresses the regex pattern to prevent catastrophic backtracking. No workaround is listed for unpatched versions; upgrading is the recommended action [1][2].

References
  1. NVD - CVE-2023-26103
  2. Release v1.31.0 · denoland/deno
  3. Snyk Vulnerability Database | Snyk
  4. deno/ext/http/01_http.js at 2b247be517d789a37e532849e2e40b724af0918f · denoland/deno

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
denocrates.io
>= 1.12.0, < 1.31.01.31.0

Affected products

2
  • deno/denodescription
  • ghsa-coords
    pkg:cargo/deno
    Range: >= 1.12.0, < 1.31.0

Patches

1
cf06a7c7e672

refactor(ext/http): use `String.prototype.trim()` instead of regex (#17722)

https://github.com/denoland/denoBert BelderFeb 10, 2023via ghsa
commit
1 file changed · +7 4
  • ext/http/01_http.js+7 4 modified
    @@ -51,6 +51,7 @@ const {
   StringPrototypeIncludes,
   StringPrototypeToLowerCase,
   StringPrototypeSplit,
+  StringPrototypeTrim,
   Symbol,
   SymbolAsyncIterator,
   TypeError,
@@ -393,8 +394,9 @@ function upgradeWebSocket(request, options = {}) {
   const upgrade = request.headers.get("upgrade");
   const upgradeHasWebSocketOption = upgrade !== null &&
     ArrayPrototypeSome(
-      StringPrototypeSplit(upgrade, /\s*,\s*/),
-      (option) => StringPrototypeToLowerCase(option) === "websocket",
+      StringPrototypeSplit(upgrade, ","),
+      (option) =>
+        StringPrototypeToLowerCase(StringPrototypeTrim(option)) === "websocket",
     );
   if (!upgradeHasWebSocketOption) {
     throw new TypeError(
@@ -405,8 +407,9 @@ function upgradeWebSocket(request, options = {}) {
   const connection = request.headers.get("connection");
   const connectionHasUpgradeOption = connection !== null &&
     ArrayPrototypeSome(
-      StringPrototypeSplit(connection, /\s*,\s*/),
-      (option) => StringPrototypeToLowerCase(option) === "upgrade",
+      StringPrototypeSplit(connection, ","),
+      (option) =>
+        StringPrototypeToLowerCase(StringPrototypeTrim(option)) === "upgrade",
     );
   if (!connectionHasUpgradeOption) {
     throw new TypeError(

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.