dotnet · DotVVMCritical
DotVVM ReDoS vulnerability mitigated with route regex timeout
DotVVM versions 4.3.15, 4.2.11 and 5.0.0-preview09 apply a 1 second timeout to route regex operations. When timeout is triggered, DotVVM switches to non-backtra
What changed
DotVVM versions 4.3.15, 4.2.11 and 5.0.0-preview09 apply a 1 second timeout to route regex operations. When timeout is triggered, DotVVM switches to non-backtracking regex engine or returns HTTP 503.
Who it affects
Users of DotVVM who use multiple unconstrained route parameters not separated by a '/'.
What to do today
Update to DotVVM 4.3.15, 4.2.11 or 5.0.0-preview09 and avoid multiple unconstrained route parameters in one section not separated by a '/'.
The trail
Collected→
Audited→
Written→
Published
Source
GitHub Advisory · DotVVM