CVE-2025-55152 in oak
Summary
by MITRE • 08/09/2025
oak is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. In versions 17.1.5 and below, it's possible to significantly slow down an oak server with specially crafted values of the x-forwarded-proto or x-forwarded-for headers.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 08/12/2025
The vulnerability identified as CVE-2025-55152 affects the oak middleware framework used in various JavaScript and TypeScript runtimes including Deno Deploy, Node.js 16.5+, Cloudflare Workers, and Bun. This security flaw resides in versions 17.1.5 and earlier, presenting a significant performance degradation risk to affected systems. The vulnerability specifically targets the handling of HTTP headers, particularly x-forwarded-proto and x-forwarded-for headers, which are commonly used for proxy and load balancer configurations in web applications.
The technical flaw manifests through improper parsing and validation of these forwarded headers, creating a potential denial of service condition. When maliciously crafted values are sent in the x-forwarded-proto or x-forwarded-for headers, the oak framework processes these inputs in a manner that consumes excessive computational resources. This behavior results in significant performance degradation of the affected HTTP server, effectively slowing down response times and potentially rendering the service unusable to legitimate users. The vulnerability operates at the application layer and can be exploited through HTTP requests without requiring authentication or specialized privileges.
The operational impact of this vulnerability extends across multiple deployment environments where oak middleware is utilized, making it particularly concerning for organizations relying on these platforms for their web applications. The performance degradation can be substantial enough to cause service unavailability, affecting user experience and potentially leading to business disruption. Attackers can exploit this vulnerability by crafting HTTP requests with malformed header values that trigger inefficient processing logic within the oak framework. This type of attack falls under the category of resource exhaustion attacks, where the attacker leverages legitimate application functionality to consume excessive system resources. The vulnerability is classified under CWE-400, which addresses excessive resource consumption, and aligns with ATT&CK technique T1499.004 for resource exhaustion attacks.
Organizations using affected oak versions should implement immediate mitigations including upgrading to version 17.1.6 or later, which contains the necessary patches to address this vulnerability. Additionally, administrators should consider implementing rate limiting mechanisms and header validation rules at the network level to prevent exploitation. Monitoring for unusual patterns in header values and server performance metrics can help detect potential exploitation attempts. The fix implemented in newer versions likely involves improved input validation and more efficient parsing algorithms for forwarded headers, preventing the excessive computational overhead that previously occurred when processing malformed values. Security teams should also review their deployment configurations to ensure proper header sanitization and consider implementing additional defensive measures such as web application firewalls that can detect and block suspicious header patterns.