CVE-2022-29167 – CVE-2022-29167 is a regular expression denial-o... (How to Fix)

Q: What is the severity of CVE-2022-29167?

CVE-2022-29167 has a CVSS score of 7.4 (HIGH). CVE-2022-29167 is a regular expression denial-of-service (ReDoS) vulnerability in the Hawk HTTP authentication library. Attackers can craft malicious Host headers to cause exponential computation time increases, potentially crashing or severely degrading server performance. This affects any application using vulnerable versions of the Hawk library for HTTP authentication.

📋 TL;DR

CVE-2022-29167 is a regular expression denial-of-service (ReDoS) vulnerability in the Hawk HTTP authentication library. Attackers can craft malicious Host headers to cause exponential computation time increases, potentially crashing or severely degrading server performance. This affects any application using vulnerable versions of the Hawk library for HTTP authentication.

💻 Affected Systems

Products:

Hawk HTTP authentication library

Versions: All versions before 9.0.1

Operating Systems: All operating systems running Node.js applications with Hawk

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using Hawk's parseHost() function or authenticate() without explicit host/port options.

📦 What is this software?

Hawk by Mozilla

View all CVEs affecting Hawk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to server resource exhaustion, potentially affecting multiple services on the same host.

🟠

Likely Case

Degraded server performance and increased response times, potentially leading to partial service disruption.

🟢

If Mitigated

Minimal impact with proper rate limiting, input validation, and updated library versions.

🌐 Internet-Facing: HIGH - Web servers using Hawk authentication are directly exposed to malicious HTTP requests.

🏢 Internal Only: MEDIUM - Internal services using Hawk could still be targeted by authenticated attackers or through other vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted HTTP requests with malicious Host headers to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.0.1

Vendor Advisory: https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq

Restart Required: Yes

Instructions:

1. Update Hawk dependency to version 9.0.1 or later. 2. Update package.json to specify 'hawk': '>=9.0.1'. 3. Run npm update hawk or yarn upgrade hawk. 4. Restart affected Node.js applications.

🔧 Temporary Workarounds

Input validation middleware

all

Add middleware to validate and sanitize Host headers before they reach Hawk authentication.

// Example Express middleware:
app.use((req, res, next) => {
  const host = req.headers.host;
  if (!host || host.length > 255 || !/^[a-zA-Z0-9.-]+(:[0-9]+)?$/.test(host)) {
    return res.status(400).send('Invalid Host header');
  }
  next();
});

Rate limiting

all

Implement rate limiting to prevent repeated malicious requests from overwhelming the server.

// Using express-rate-limit:
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 100
});
app.use(limiter);

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block requests with suspicious Host headers
Use reverse proxy with request filtering to sanitize Host headers before reaching vulnerable applications

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules/hawk/package.json for version number below 9.0.1

Check Version:

npm list hawk | grep hawk OR cat node_modules/hawk/package.json | grep version

Verify Fix Applied:

Confirm Hawk version is 9.0.1 or higher and test authentication with various Host headers

📡 Detection & Monitoring

Log Indicators:

Unusually long request processing times
Multiple failed authentication attempts with varying Host headers
High CPU usage spikes coinciding with authentication requests

Network Indicators:

HTTP requests with unusually long or malformed Host headers
Rapid sequential requests to authentication endpoints

SIEM Query:

source="web_server" (host_header_length>255 OR host_header contains ".." OR host_header matches "[^a-zA-Z0-9.-:]+")

📊 Metadata

CVE ID: CVE-2022-29167

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

CWE: CWE-400

Published: May 5, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/mozilla/hawk/pull/286 Patch,Third Party Advisory
https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq Patch,Third Party Advisory
https://github.com/mozilla/hawk/pull/286 Patch,Third Party Advisory
https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29167, you might also want to check these: