{"url":"http://public2.vulnerablecode.io/api/packages/755633?format=json","purl":"pkg:npm/%40oakserver/oak@14.0.0","type":"npm","namespace":"@oakserver","name":"oak","version":"14.0.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/121603?format=json","vulnerability_id":"VCID-5d2z-2wdj-mfej","summary":"oak is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. In versions 17.1.5 and below, it's possible to significantly slow down an oak server with specially crafted values of the x-forwarded-proto or x-forwarded-for headers.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-55152","reference_id":"","reference_type":"","scores":[{"value":"0.00385","scoring_system":"epss","scoring_elements":"0.60169","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00385","scoring_system":"epss","scoring_elements":"0.60287","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00385","scoring_system":"epss","scoring_elements":"0.60276","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-55152"},{"reference_url":"https://github.com/oakserver/oak","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/oakserver/oak"},{"reference_url":"https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L142","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L142"},{"reference_url":"https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L87","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/oakserver/oak/blob/v17.1.5/request.ts#L87"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55152","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55152"},{"reference_url":"https://github.com/oakserver/oak/commit/b60e60330ef227707c4dc13ef0ea36192d894f44","reference_id":"b60e60330ef227707c4dc13ef0ea36192d894f44","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-11T13:33:12Z/"}],"url":"https://github.com/oakserver/oak/commit/b60e60330ef227707c4dc13ef0ea36192d894f44"},{"reference_url":"https://github.com/advisories/GHSA-r3v7-pc4g-7xp9","reference_id":"GHSA-r3v7-pc4g-7xp9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-r3v7-pc4g-7xp9"},{"reference_url":"https://github.com/oakserver/oak/security/advisories/GHSA-r3v7-pc4g-7xp9","reference_id":"GHSA-r3v7-pc4g-7xp9","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-11T13:33:12Z/"}],"url":"https://github.com/oakserver/oak/security/advisories/GHSA-r3v7-pc4g-7xp9"}],"fixed_packages":[],"aliases":["CVE-2025-55152","GHSA-r3v7-pc4g-7xp9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5d2z-2wdj-mfej"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38195?format=json","vulnerability_id":"VCID-urm2-qasz-mfhs","summary":"`oak` is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. By default `oak` does not allow transferring of hidden files with `Context.send` API. However, prior to version 17.1.3, this can be bypassed by encoding `/` as its URL encoded form `%2F`. For an attacker this has potential to read sensitive user data or to gain access to server secrets. Version 17.1.3 fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-49770","reference_id":"","reference_type":"","scores":[{"value":"0.00081","scoring_system":"epss","scoring_elements":"0.23942","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00081","scoring_system":"epss","scoring_elements":"0.24149","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00081","scoring_system":"epss","scoring_elements":"0.2414","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-49770"},{"reference_url":"https://github.com/oakserver/oak","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/oakserver/oak"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49770","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49770"},{"reference_url":"https://github.com/oakserver/oak/commit/4b2f27efd5cba5a45b2c3982e610da3af0869209","reference_id":"4b2f27efd5cba5a45b2c3982e610da3af0869209","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-11-01T17:32:52Z/"}],"url":"https://github.com/oakserver/oak/commit/4b2f27efd5cba5a45b2c3982e610da3af0869209"},{"reference_url":"https://github.com/advisories/GHSA-qm92-93fv-vh7m","reference_id":"GHSA-qm92-93fv-vh7m","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-qm92-93fv-vh7m"},{"reference_url":"https://github.com/oakserver/oak/security/advisories/GHSA-qm92-93fv-vh7m","reference_id":"GHSA-qm92-93fv-vh7m","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-11-01T17:32:52Z/"}],"url":"https://github.com/oakserver/oak/security/advisories/GHSA-qm92-93fv-vh7m"},{"reference_url":"https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L117-L125","reference_id":"send.ts#L117-L125","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-11-01T17:32:52Z/"}],"url":"https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L117-L125"},{"reference_url":"https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L182C10-L182C25","reference_id":"send.ts#L182C10-L182C25","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-11-01T17:32:52Z/"}],"url":"https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L182C10-L182C25"}],"fixed_packages":[],"aliases":["CVE-2024-49770","GHSA-qm92-93fv-vh7m"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-urm2-qasz-mfhs"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540oakserver/oak@14.0.0"}