VYPR
Get started
← All advisories
Medium severity5.3NVD Advisory· Published Aug 9, 2025· Updated Apr 15, 2026

CVE-2025-55152

CVE-2025-55152

Description

oak is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. In versions 17.1.5 and below, it's possible to significantly slow down an oak server with specially crafted values of the x-forwarded-proto or x-forwarded-for headers.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@oakserver/oaknpm
<= 14.1.0

Patches

2
cba00507b0f3

Release v17.1.6

https://github.com/oakserver/oakKitson KellyAug 8, 2025via osv
commit
2 files changed · +7 1
  • CHANGELOG.md+6 0 modified
    @@ -1,5 +1,11 @@
 # oak Change Log
 
+## Version 17.1.6
+
+- fix: address ReDoS vulnerability in headers (#700)
+- chore: remove v1.x deno from ci (3e4bf17)
+- chore: ignore two CI failing inspect tests (babb9c5)
+
 ## Version 17.1.5
 
 - fix: don't return true for isNode() under Deno (#695)
  • deno.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "name": "@oak/oak",
-  "version": "17.1.5",
+  "version": "17.1.6",
   "exports": {
     ".": "./mod.ts",
     "./application": "./application.ts",
b60e60330ef2

fix: address ReDoS vulnerability in headers (#700)

https://github.com/oakserver/oakKitson KellyAug 8, 2025via ghsa
commit
2 files changed · +98 5
  • request.test.ts+79 0 modified
    @@ -288,3 +288,82 @@ Deno.test({
     );
   },
 });
+
+Deno.test({
+  name: "request.x-forwarded-for - splits, trims, and orders correctly",
+  fn() {
+    const request = new Request(
+      createMockNativeRequest("https://example.com/index.html", {
+        headers: {
+          "x-forwarded-host": "example.com",
+          "x-forwarded-proto": "http",
+          "x-forwarded-for": " 10.10.10.10 ,   192.168.1.1 ,   [::1]  ",
+        },
+      }),
+      { proxy: true, secure: true },
+    );
+    assertEquals(request.ips, ["10.10.10.10", "192.168.1.1", "[::1]"]);
+    assertEquals(request.ip, "10.10.10.10");
+  },
+});
+
+Deno.test({
+  name: "request.x-forwarded-for - caps entries and is performant",
+  fn() {
+    const manyIps = Array.from({ length: 1000 }, (_, i) => `10.0.0.${i}`).join(
+      ", ",
+    );
+    const request = new Request(
+      createMockNativeRequest("https://example.com/index.html", {
+        headers: {
+          "x-forwarded-host": "example.com",
+          "x-forwarded-proto": "http",
+          // also prepend some whitespace noise to mimic worst-case patterns
+          "x-forwarded-for": `  \t  ${manyIps}  \t  `,
+        },
+      }),
+      { proxy: true, secure: true },
+    );
+    performance.mark("start-xff");
+    const ips = request.ips;
+    const measure = performance.measure("xff", { start: "start-xff" });
+    // Hard upper bound; the operation should be very fast
+    assert(measure.duration < 20);
+    // Ensure we cap the number of parsed IPs (implementation caps at 100)
+    assertEquals(ips.length, 100);
+    assertEquals(ips[0], "10.0.0.0");
+  },
+});
+
+Deno.test({
+  name: "request.x-forwarded-proto - normalizes and allowlists http/https",
+  fn() {
+    const request = new Request(
+      createMockNativeRequest("http://example.com/index.html", {
+        headers: {
+          "x-forwarded-host": "example.com",
+          "x-forwarded-proto": "  HTTPS  , http ",
+        },
+      }),
+      { proxy: true },
+    );
+    assertEquals(request.url.protocol, "https:");
+  },
+});
+
+Deno.test({
+  name: "request.x-forwarded-proto - invalid values fall back to http",
+  fn() {
+    const request = new Request(
+      createMockNativeRequest("http://example.com/index.html", {
+        headers: {
+          "x-forwarded-host": "example.com",
+          // first token invalid, second valid, we only honor the first
+          "x-forwarded-proto": "javascript, https",
+        },
+      }),
+      { proxy: true },
+    );
+    assertEquals(request.url.protocol, "http:");
+  },
+});
  • request.ts+19 5 modified
    @@ -83,8 +83,15 @@ export class Request {
    * `X-Forwarded-For`.  When `false` an empty array is returned. */
   get ips(): string[] {
     return this.#proxy
-      ? (this.#serverRequest.headers.get("x-forwarded-for") ??
-        this.#getRemoteAddr()).split(/\s*,\s*/)
+      ? (() => {
+        const raw = this.#serverRequest.headers.get("x-forwarded-for") ??
+          this.#getRemoteAddr();
+        const bounded = raw.length > 4096 ? raw.slice(0, 4096) : raw;
+        return bounded
+          .split(",", 100)
+          .map((part) => part.trim())
+          .filter((part) => part.length > 0);
+      })()
       : [];
   }
 
@@ -138,9 +145,16 @@ export class Request {
         let proto: string;
         let host: string;
         if (this.#proxy) {
-          proto = serverRequest
-            .headers.get("x-forwarded-proto")?.split(/\s*,\s*/, 1)[0] ??
-            "http";
+          const xForwardedProto = serverRequest.headers.get(
+            "x-forwarded-proto",
+          );
+          let maybeProto = xForwardedProto
+            ? xForwardedProto.split(",", 1)[0].trim().toLowerCase()
+            : undefined;
+          if (maybeProto !== "http" && maybeProto !== "https") {
+            maybeProto = undefined;
+          }
+          proto = maybeProto ?? "http";
           host = serverRequest.headers.get("x-forwarded-host") ??
             this.#url?.hostname ??
             serverRequest.headers.get("host") ??

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.