## CVE-2016-10539: High-Severity ReDoS Vulnerability in Node.js 'negotiator' Library Affects Express, Koa
A high-severity Regular Expression Denial of Service (ReDoS) vulnerability, tracked as CVE-2016-10539, has been identified in the widely-used Node.js HTTP content negotiation library `negotiator`. The flaw resides in versions 0.6.0 and earlier, where the parsing of the "Accept-Language" HTTP header can be exploited. An attacker can trigger catastrophic backtracking and cause a denial of service by sending a specially crafted string, potentially crippling server performance.

The vulnerable library, `negotiator`, is a critical dependency for major Node.js web frameworks, including Express and Koa. In a typical dependency chain, a root library like `express-4.13.4.tgz` depends on `accepts-1.2.13.tgz`, which in turn pulls in the vulnerable `negotiator-0.5.3.tgz`. This deep, nested inclusion means countless production applications may be exposed without developers' direct knowledge, as the vulnerability is buried within a common dependency tree.

The exposure is significant due to `negotiator`'s role in core HTTP functionality. Any application using affected versions of Express, Koa, or other modules that rely on this library for content negotiation is at risk. The vulnerability prompts immediate scrutiny for DevOps and security teams to audit their `node_modules`, update dependencies, and assess the potential for service disruption across their web application stacks.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2016-10539, Node.js, ReDoS, Express, Koa
- **Credibility**: unverified
- **Published**: 2026-03-31 06:27:18
- **ID**: 42522
- **URL**: https://whisperx.ai/en/intel/42522