Skip to main content

CVE-2025-55152: CWE-400: Uncontrolled Resource Consumption in oakserver oak

Medium
VulnerabilityCVE-2025-55152cvecve-2025-55152cwe-400cwe-1333
Published: Sat Aug 09 2025 (08/09/2025, 01:29:54 UTC)
Source: CVE Database V5
Vendor/Project: oakserver
Product: oak

Description

oak is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. In versions 17.1.5 and below, it's possible to significantly slow down an oak server with specially crafted values of the x-forwarded-proto or x-forwarded-for headers.

AI-Powered Analysis

AILast updated: 08/17/2025, 01:09:07 UTC

Technical Analysis

CVE-2025-55152 is a medium-severity vulnerability affecting the oak middleware framework used with Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers, and Bun. Oak versions prior to 17.1.6 are vulnerable to an uncontrolled resource consumption attack (CWE-400), where specially crafted HTTP headers, specifically the x-forwarded-proto or x-forwarded-for headers, can be used to significantly degrade the performance of an oak server. This vulnerability does not impact confidentiality or integrity but affects availability by allowing an attacker to slow down the server, potentially leading to denial of service conditions. The attack vector is network-based (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), making it relatively easy to exploit remotely. The vulnerability scope is unchanged (S:U), meaning it affects only the vulnerable component without impacting other system components. The CVSS v3.1 base score is 5.3, reflecting a medium severity level. No known exploits are currently reported in the wild, and no official patches or fixes have been linked yet. The root cause is improper handling of header values leading to excessive resource consumption, which could be due to inefficient parsing or processing logic within the oak framework. This vulnerability is relevant for any organization using oak in their web infrastructure, especially those relying on Deno, Node.js, Cloudflare Workers, or Bun environments where oak is deployed as middleware.

Potential Impact

For European organizations, this vulnerability poses a risk primarily to the availability of web services that utilize the oak middleware framework. Organizations running web applications or APIs on Deno, Node.js 16.5+, Cloudflare Workers, or Bun that incorporate oak versions below 17.1.6 could experience performance degradation or denial of service if targeted by attackers sending maliciously crafted x-forwarded-proto or x-forwarded-for headers. This could disrupt business operations, degrade user experience, and potentially cause financial losses or reputational damage. Critical sectors such as finance, healthcare, government, and e-commerce, which often rely on high availability and robust web services, could be particularly impacted. The ease of exploitation without authentication increases the threat level, especially for public-facing services. However, the lack of known exploits in the wild and the medium CVSS score suggest that while the threat is real, it may not be actively exploited at scale yet. Nonetheless, proactive mitigation is advisable to prevent potential denial of service attacks.

Mitigation Recommendations

European organizations should prioritize upgrading oak to version 17.1.6 or later, where the vulnerability is addressed. In the absence of an official patch, temporary mitigations include implementing strict validation and sanitization of the x-forwarded-proto and x-forwarded-for headers at the application or reverse proxy level to detect and block anomalous or excessively large header values. Rate limiting incoming requests based on IP or header patterns can reduce the risk of resource exhaustion. Deploying web application firewalls (WAFs) with custom rules to filter suspicious header content can also help mitigate exploitation attempts. Monitoring server performance metrics and logs for unusual spikes in resource consumption related to these headers can provide early detection of attack attempts. Additionally, isolating critical services and employing redundancy and failover mechanisms can minimize service disruption in case of an attack. Regular security assessments and keeping dependencies up to date are essential to maintain resilience against such vulnerabilities.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-08-07T18:27:23.305Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6896a8c3ad5a09ad00085a7e

Added to database: 8/9/2025, 1:47:47 AM

Last enriched: 8/17/2025, 1:09:07 AM

Last updated: 8/17/2025, 1:09:07 AM

Views: 15

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats