{"id":"CVE-2017-16136","details":"method-override is a module used by the Express.js framework to let you use HTTP verbs such as PUT or DELETE in places where the client doesn't support it. method-override is vulnerable to a regular expression denial of service vulnerability when specially crafted input is passed in to be parsed via the X-HTTP-Method-Override header.","aliases":["GHSA-qx2f-477c-35rq"],"modified":"2026-03-13T23:19:21.570511Z","published":"2018-06-07T02:29:03.770Z","references":[{"type":"ADVISORY","url":"https://nodesecurity.io/advisories/538"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/expressjs/method-override","events":[{"introduced":"0"},{"fixed":"ddfc7ccd42c468bfef54b7698d1c4acb85cce758"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.3.10"}]}}],"versions":["1.0.0","1.0.1","1.0.2","2.0.0","2.0.1","2.0.2","2.1.0","2.1.1","2.1.2","2.1.3","2.2.0","2.3.0","2.3.1","2.3.2","2.3.3","2.3.4","2.3.5","2.3.6","2.3.7","2.3.8","2.3.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-16136.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}