## CVE-2016-10539: High-Severity ReDoS Vulnerability in Node.js 'negotiator' Library Affects Express, Koa
A high-severity Regular Expression Denial of Service (ReDoS) vulnerability, tracked as CVE-2016-10539, has been identified in the widely-used Node.js HTTP content negotiation library `negotiator`. The flaw, present in versions 0.6.0 and earlier, allows an attacker to crash or severely degrade server performance by sending a specially crafted "Accept-Language" header string. This creates a direct vector for application downtime and service disruption.

The vulnerable library, `negotiator-0.5.3.tgz`, is not a direct dependency for most developers but is deeply embedded in the Node.js ecosystem. It is a critical component pulled in by the popular `accepts` library, which itself is a core dependency of major web frameworks like Express (version 4.13.4) and Koa. This dependency chain means thousands of applications may be exposed without developers' direct knowledge, as the vulnerability resides several layers down in their `package.json` dependency tree.

The public advisory was published on May 31, 2016, indicating this is a known, historical vulnerability. However, its presence in a scan suggests that outdated, unpatched versions of this library may still be actively deployed in production environments. This poses a persistent risk, especially for legacy systems or applications with infrequent dependency updates, leaving them susceptible to denial-of-service attacks that could halt web services.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2016-10539, Node.js, ReDoS, Express, Supply Chain Security
- **Credibility**: unverified
- **Published**: 2026-04-02 23:27:01
- **ID**: 48115
- **URL**: https://whisperx.ai/en/intel/48115