CVE-2022-29167: 
JavaScript vulnerability analysis and mitigation

Hawk, an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification, was found to contain a vulnerability (CVE-2022-29167) in versions prior to 9.0.1. The vulnerability was discovered and disclosed in May 2022, affecting the npm package hawk (GitHub Advisory).

The vulnerability is classified as a Regular Expression Denial of Service (ReDoS) issue in the header parsing functionality. Specifically, the Hawk.utils.parseHost() function used a regular expression to parse Host HTTP headers, which could be exploited to cause exponential computation time increases with each additional character in malicious input. The vulnerability has been assigned a CWE-400 classification (NVD CNA).

If exploited, this vulnerability could allow attackers to cause a denial of service condition by crafting specific input that would trigger exponential computation time in the regular expression parsing. The issue could make the system unresponsive when processing specially crafted input files (Ubuntu Notice).

The vulnerability has been patched in version 9.0.1 of the hawk package, which replaces the regular expression-based parsing with the built-in URL class. As a workaround for users unable to update, Hawk.authenticate() can be used with explicit host and port options to bypass the vulnerable parseHost() function. System administrators are advised to update to the patched version through their package management system (GitHub Advisory).