Login Sign Up

CVE-2023-26104

7.5 HIGH
Denial of Service

📋 TL;DR

All versions of the lite-web-server package are vulnerable to Denial of Service (DoS) when attackers send HTTP requests containing control characters that the decodeURI() function cannot parse. This vulnerability allows attackers to crash the web server, making it unavailable to legitimate users. Anyone using the lite-web-server package is affected.

💻 Affected Systems

Products:
  • lite-web-server
Versions: All versions
Operating Systems: All operating systems running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Any deployment using lite-web-server is vulnerable regardless of configuration.

📦 What is this software?

Lite Web Server by Lite Web Server Project

View all CVEs affecting Lite Web Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability requiring manual restart of the web server process, potentially causing extended downtime for applications relying on this server.

🟠

Likely Case

Temporary service disruption where the web server crashes and needs to be restarted, causing brief outages for users.

🟢

If Mitigated

Minimal impact with proper monitoring and automated restart mechanisms in place to quickly recover from crashes.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted HTTP requests with malformed URIs containing control characters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None available

Vendor Advisory: https://security.snyk.io/vuln/SNYK-JS-LITEWEBSERVER-3153703

Restart Required: Yes

Instructions:

1. Consider migrating to an alternative web server package. 2. If continuing with lite-web-server, implement input validation to filter control characters before decodeURI() processing.

🔧 Temporary Workarounds

Input Validation Filter

all

Add middleware to filter out control characters from incoming HTTP requests before they reach the vulnerable decodeURI() function.

// Add this middleware before request processing:
app.use((req, res, next) => {
  const cleanedUrl = req.url.replace(/[\x00-\x1F\x7F]/g, '');
  req.url = cleanedUrl;
  next();
});

🧯 If You Can't Patch

  • Implement rate limiting and request filtering at the network perimeter (firewall/WAF) to block requests with control characters.
  • Deploy monitoring and automated restart mechanisms to quickly recover from crashes.

🔍 How to Verify

Check if Vulnerable:

Check if your application uses lite-web-server by examining package.json or running 'npm list lite-web-server'.

Check Version:

npm list lite-web-server

Verify Fix Applied:

Test with crafted requests containing control characters (e.g., %00, %0D) to verify the server no longer crashes.

📡 Detection & Monitoring

Log Indicators:

  • Web server process crashes or restarts
  • Error logs showing decodeURI() failures or malformed URI errors

Network Indicators:

  • HTTP requests containing control characters in URLs (e.g., %00, %0D, %1B)

SIEM Query:

source="web_server_logs" AND (error="decodeURI" OR error="malformed" OR process="restart")

📊 Metadata

CVE ID: CVE-2023-26104
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Published: February 25, 2023
Last Updated: March 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26104, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)