← back
CVE-2025-55152

oak: ReDoS in x-forwarded-proto and x-forwarded-for headers

CVSS 5.3 MEDIUMEPSS 0.4%CWE-1333CWE-400
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.3EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
09 Aug 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
oak is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. In versions 17.1.5 and below, it's possible to significantly slow down an oak server with specially crafted values of the x-forwarded-proto or x-forwarded-for headers.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected products
oakserver · oak

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/oakserver/oak/commit/b60e60330ef227707c4dc13ef0ea36192d894f44https://github.com/oakserver/oak/security/advisories/GHSA-r3v7-pc4g-7xp9