CVE-2023-26104: Denial of Service vulnerability in lite-web-server

February 25, 2023 (updated November 9, 2023)

All versions of the package lite-web-server is vulnerable to Denial of Service (DoS) when an attacker sends an HTTP request and includes control characters that the decodeURI() function is unable to parse.

References

gist.github.com/lirantal/637520812da06fffb91dd86d02ff6bde
github.com/advisories/GHSA-8237-3q5g-99fv
github.com/chasyumen/lite-web-server/blob/main/src/WebServer.js
nvd.nist.gov/vuln/detail/CVE-2023-26104
security.snyk.io/vuln/SNYK-JS-LITEWEBSERVER-3153703

Code Behaviors & Features

Detect and mitigate CVE-2023-26104 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →