Scan free
HIGHCVE-2017-16118CVSS 7.5

CVE-2017-16118: DoS in forwarded Go Package

Platform

nodejs

Component

forwarded

Fixed in

0.1.2

View on NVD
Save

CVE-2017-16118 describes a Denial of Service (DoS) vulnerability within the forwarded Go package. This vulnerability arises from the package's handling of regular expressions when parsing user input, allowing an attacker to trigger a denial of service. Affected versions are those prior to 0.1.2. A fix is available in version 0.1.2.

Impact and Attack Scenarios

An attacker can exploit this vulnerability by sending specially crafted input to applications utilizing the forwarded package. This malicious input triggers a computationally expensive regular expression match, effectively exhausting server resources and leading to a denial of service. The impact can range from temporary service unavailability to complete system crashes, disrupting operations and potentially impacting user access. The blast radius extends to any application relying on the vulnerable forwarded package, particularly those handling external user input without proper sanitization.

Exploitation Context

CVE-2017-16118 was published on July 24, 2018. There is no indication of active exploitation campaigns targeting this vulnerability. The EPSS score is likely low given the lack of public exploits and the relatively straightforward mitigation (package upgrade). No known KEV status.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.60% (69% percentile)

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H7.5HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Timeline

  1. Published
  2. Modified
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2017-16118 is to upgrade the forwarded Go package to version 0.1.2 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization to prevent the injection of malicious regular expressions. Specifically, restrict the characters allowed in the X-Forwarded-For header or other relevant fields. While not a complete solution, this can reduce the likelihood of exploitation. After upgrading, confirm the fix by sending a test payload containing a known malicious regular expression and verifying that the application does not crash or exhibit performance degradation.

How to fix

No official patch available. Check for workarounds or monitor for updates.

Frequently asked questions

What is CVE-2017-16118 — DoS in forwarded Go Package?

CVE-2017-16118 is a denial-of-service vulnerability in the forwarded Go package. A crafted input can trigger a resource-intensive regular expression, leading to service disruption.

Am I affected by CVE-2017-16118 in forwarded Go Package?

You are affected if you are using a version of the forwarded Go package prior to 0.1.2 in your Go applications.

How do I fix CVE-2017-16118 in forwarded Go Package?

Upgrade the forwarded Go package to version 0.1.2 or later. Implement input validation as a temporary workaround if upgrading is not immediately possible.

Is CVE-2017-16118 being actively exploited?

There is currently no evidence of active exploitation campaigns targeting CVE-2017-16118.

Where can I find the official forwarded advisory for CVE-2017-16118?

Refer to the GitHub repository for the forwarded package for updates and advisories: https://github.com/posener/forwarded

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...