Affected versions of `negotiator` are vulnerable to regular expression denial of service attacks, which trigger upon parsing a specially crafted `Accept-Language` header value.

## Recommendation

Update to version 0.6.1 or later.

Affected Packages

npm negotiator

Affected versions: 0 (fixed in 0.6.1)

Related CVEs

CVE-2016-10539

Key Information

GHSA ID

GHSA-7mc5-chhp-fmc3

Published

October 9, 2018 12:30 AM

Last Modified

August 31, 2020 6:11 PM

CVSS Score

7.5 /10

Primary Ecosystem

npm

Primary Package

negotiator

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 4, 2025 6:27 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.