CVE-2022-29167

HIGH

Hawk - DoS

Title source: llm

Description

Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`.

References (2)

[Patch, Third Party Advisory] https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq

[Patch, Third Party Advisory] https://github.com/mozilla/hawk/pull/286

Scores

CVSS v3 7.4

EPSS 0.0013

EPSS Percentile 31.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1333 CWE-400

Status published

Products (2)

mozilla/hawk < 9.0.1

npm/hawk 0 - 9.0.1npm

Published May 05, 2022

Tracked Since Feb 18, 2026