CVE-2022-29167 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting the Mozilla Hawk HTTP authentication scheme prior to version 9.0.1. Hawk is designed to provide authenticated HTTP requests with partial cryptographic verification, including validation of the HTTP method, request URI, host, and optionally the request payload. The vulnerability arises from the way Hawk parses the 'Host' HTTP header using a regular expression in the function `Hawk.utils.parseHost()`. This regular expression is susceptible to a Regular Expression Denial of Service (ReDoS) attack, where an attacker can craft a maliciously long or complex 'Host' header input that causes the regular expression engine to consume exponentially increasing CPU resources as input length grows. This results in significant performance degradation or service unavailability due to resource exhaustion. The vulnerability was addressed in version 9.0.1 by replacing the vulnerable regular expression parsing with the use of the built-in JavaScript `URL` class, which is more efficient and not vulnerable to ReDoS. Additionally, the `Hawk.authenticate()` function accepts an `options` argument that, if containing `host` and `port`, bypasses the vulnerable `parseHost()` call, mitigating the risk if used properly. No known exploits have been reported in the wild, and no CVSS score is assigned. The vulnerability primarily impacts systems using versions of the Hawk library older than 9.0.1 that process untrusted HTTP requests with the vulnerable parsing method.

For European organizations, the primary impact of this vulnerability is the potential for Denial of Service (DoS) attacks against services relying on the vulnerable Hawk library for HTTP authentication. An attacker could send specially crafted HTTP requests with malicious 'Host' headers to exhaust CPU resources on affected servers, leading to degraded performance or complete service outages. This can disrupt business operations, especially for web services, APIs, or microservices using Hawk for authentication. Confidentiality and integrity are not directly impacted by this vulnerability, as it does not allow unauthorized access or data manipulation. However, availability is significantly affected, which can indirectly impact business continuity and customer trust. Organizations in sectors with high reliance on web-based services, such as finance, telecommunications, and government services, may experience operational disruptions. The absence of known exploits reduces immediate risk, but the ease of triggering ReDoS attacks with crafted inputs means the threat remains relevant. The vulnerability's impact is limited to systems using vulnerable Hawk versions and processing untrusted HTTP requests, so organizations using updated versions or alternative authentication schemes are not affected.

To mitigate this vulnerability, European organizations should: 1) Immediately upgrade all instances of the Hawk library to version 9.0.1 or later, where the vulnerable regular expression parsing has been replaced with the secure `URL` class. 2) Review and audit all applications and services that use Hawk for HTTP authentication to ensure they do not rely on vulnerable versions. 3) If upgrading is not immediately feasible, implement input validation and filtering at the network or application layer to detect and block suspiciously long or malformed 'Host' headers that could trigger ReDoS. 4) Utilize web application firewalls (WAFs) with custom rules to detect and mitigate ReDoS attack patterns targeting the 'Host' header. 5) Monitor application performance metrics and logs for signs of resource exhaustion or unusual request patterns indicative of ReDoS attempts. 6) Educate developers and security teams about the risks of ReDoS vulnerabilities and the importance of using safe parsing methods for user-controlled inputs. 7) Where possible, configure `Hawk.authenticate()` calls to use the `options` argument with explicit `host` and `port` values to bypass vulnerable parsing logic.