VulnerableCode Package Details - pkg:npm/hawk@3.0.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-b9vv-7ubf-xudx Aliases: CVE-2016-2515 GHSA-jcpv-g9rr-qxrc	Regular Expression Denial of Service Specifically crafted long headers or uris can cause a minor denial of service when using hawk versions less than 4.1.1. "The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time." Updates: - Updated to include fix in 3.1.3	3.1.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 4.1.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-knss-jhn4-8ufw Aliases: CVE-2022-29167 GHSA-44pw-h2cw-w3vq	Regular Expression Denial of Service Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`.	9.0.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-b9vv-7ubf-xudx
Aliases:
CVE-2016-2515
GHSA-jcpv-g9rr-qxrc

Regular Expression Denial of Service Specifically crafted long headers or uris can cause a minor denial of service when using hawk versions less than 4.1.1. "The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time." Updates: - Updated to include fix in 3.1.3

3.1.3
Affected by 1 other vulnerability.

4.1.1
Affected by 1 other vulnerability.

VCID-knss-jhn4-8ufw
Aliases:
CVE-2022-29167
GHSA-44pw-h2cw-w3vq

Regular Expression Denial of Service Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`.

9.0.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T01:45:22.873637+00:00	GitLab Importer	Affected by	VCID-knss-jhn4-8ufw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/hawk/CVE-2022-29167.yml	38.6.0
2026-06-04T20:05:48.541318+00:00	GitLab Importer	Affected by	VCID-b9vv-7ubf-xudx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/hawk/CVE-2016-2515.yml	38.6.0

2026-06-06T01:45:22.873637+00:00

GitLab Importer

Affected by

VCID-knss-jhn4-8ufw

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/hawk/CVE-2022-29167.yml

38.6.0

2026-06-04T20:05:48.541318+00:00

GitLab Importer

Affected by

VCID-b9vv-7ubf-xudx

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/hawk/CVE-2016-2515.yml

38.6.0

Next non-vulnerable version	9.0.1
Latest non-vulnerable version	9.0.1
Risk	4.0