Module Federation: Inefficient Regular Expression Complexity in koa #30016

EelcoLos · 2025-02-13T06:07:24Z

Current Behavior

A notification on security of nx repos having the @nx/module-federation package: GHSA-593f-38f6-jp5m

Summary

Koa uses an evil regex to parse the X-Forwarded-Proto and X-Forwarded-Host HTTP headers. This can be exploited to carry out a Denial-of-Service attack.
PoC

Coming soon.
Impact

This is a Regex Denial-of-Service attack and causes memory exhaustion. The regex should be improved and empty values should not be allowed.

Expected Behavior

Resolving the security issue by updating koa for this plugin the package @module-federation/enhanced will need to update where module-federation/core#3514 needs to be merged and released

GitHub Repo

https://github.com/EelcoLos/nx-tinkering/security/dependabot/21

Steps to Reproduce

n/a

Nx Report

NX   Report complete - copy this into the issue template

Node           : 22.13.1
OS             : win32-x64
Native Target  : x86_64-windows
npm            : 10.9.2

nx                     : 20.4.2
@nx/js                 : 20.4.2
@nx/jest               : 20.4.2
@nx/eslint             : 20.4.2
@nx/workspace          : 20.4.2
@nx/angular            : 20.4.2
@nx/devkit             : 20.4.2
@nx/eslint-plugin      : 20.4.2
@nx/module-federation  : 20.4.2
@nx/playwright         : 20.4.2
@nx/vite               : 20.4.2
@nx/web                : 20.4.2
@nx/webpack            : 20.4.2
typescript             : 5.7.3
---------------------------------------
Registered Plugins:
@nx/playwright/plugin
@nx/eslint/plugin
@nx-dotnet/core
---------------------------------------
Community plugins:
@nx-dotnet/core : 2.5.0
angular-eslint  : 19.1.0

Failure Logs

Package Manager Version

No response

Operating System

macOS
Linux
Windows
Other (Please specify)

Additional Information

putting this here to have links regarding the package needing to be updated

The text was updated successfully, but these errors were encountered:

ahnpnl · 2025-02-18T08:31:43Z

I think will probably need to be released as patch for several Nx major versions too. @nx/angular package is also affected

moinerus · 2025-02-19T14:42:12Z

Would be great to see this fixed asap.

monkeycatdog · 2025-02-20T09:51:56Z

Any patches available?

EelcoLos added the type: bug label Feb 13, 2025

Laurensvdw marked this as a duplicate of #30083 Feb 19, 2025

Laurensvdw mentioned this issue Feb 19, 2025

Nx currently has a critical dependency (audit) in the @nx/module-federation package #30083

Closed

4 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Module Federation: Inefficient Regular Expression Complexity in koa #30016

Module Federation: Inefficient Regular Expression Complexity in koa #30016

EelcoLos commented Feb 13, 2025

ahnpnl commented Feb 18, 2025 •

edited

Loading

moinerus commented Feb 19, 2025

monkeycatdog commented Feb 20, 2025

Module Federation: Inefficient Regular Expression Complexity in koa #30016

Module Federation: Inefficient Regular Expression Complexity in koa #30016

Comments

EelcoLos commented Feb 13, 2025

Current Behavior

Expected Behavior

GitHub Repo

Steps to Reproduce

Nx Report

Failure Logs

Package Manager Version

Operating System

Additional Information

ahnpnl commented Feb 18, 2025 • edited Loading

moinerus commented Feb 19, 2025

monkeycatdog commented Feb 20, 2025

ahnpnl commented Feb 18, 2025 •

edited

Loading