Login Sign Up

CVE-2021-23490

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in parse-link-header package allows attackers to cause Denial of Service (DoS) through specially crafted link headers that trigger inefficient regular expression processing. It affects applications using parse-link-header versions before 2.0.0 to parse HTTP Link headers.

💻 Affected Systems

Products:
  • parse-link-header
Versions: All versions before 2.0.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any application using parse-link-header to parse HTTP Link headers, particularly web applications and APIs.

📦 What is this software?

Parse Link Header by Parse Link Header Project

View all CVEs affecting Parse Link Header →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion from ReDoS attack, potentially affecting all users of the vulnerable application.

🟠

Likely Case

Degraded performance or temporary service disruption when malicious link headers are processed.

🟢

If Mitigated

Minimal impact with proper input validation and rate limiting in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending malicious HTTP Link headers to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.0

Vendor Advisory: https://github.com/thlorenz/parse-link-header/commit/72f05c717b3f129c5331a07bf300ed8886eb8ae1

Restart Required: Yes

Instructions:

1. Update parse-link-header dependency to version 2.0.0 or later. 2. Update package.json to specify 'parse-link-header': '^2.0.0'. 3. Run npm update parse-link-header. 4. Restart the application.

🔧 Temporary Workarounds

Input Validation

all

Implement input validation to reject or sanitize link headers before passing to parse-link-header.

Rate Limiting

all

Implement rate limiting on endpoints that process link headers to mitigate DoS impact.

🧯 If You Can't Patch

  • Implement WAF rules to block malicious link header patterns
  • Deploy reverse proxy with request filtering for link headers

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules/parse-link-header/package.json for version number below 2.0.0.

Check Version:

npm list parse-link-header

Verify Fix Applied:

Confirm parse-link-header version is 2.0.0 or higher in package.json and verify application functions correctly with link headers.

📡 Detection & Monitoring

Log Indicators:

  • High CPU usage spikes
  • Increased request processing times
  • Application crashes when processing specific requests

Network Indicators:

  • Unusually large or complex Link headers in HTTP requests
  • Repeated requests with similar link headers

SIEM Query:

source="application_logs" AND ("high cpu" OR "slow response") AND "link-header"

📊 Metadata

CVE ID: CVE-2021-23490
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
Published: December 24, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23490, you might also want to check these:

CVE-2023-29487 9.1

This CVE describes a denial-of-service vulnerability in Heimdal Thor agent's Threat To Process Corre...

Same vulnerability type (CWE-1333)
CVE-2025-62484 8.1

A regular expression complexity vulnerability in Zoom Workplace Clients allows unauthenticated attac...

Same vulnerability type (CWE-1333)
CVE-2024-4148 7.5

A Regular Expression Denial of Service (ReDoS) vulnerability in lunary-ai/lunary version 1.2.10 allo...

Same vulnerability type (CWE-1333)