Affected versions of `method-override` are vulnerable to a regular expression denial of service vulnerability when untrusted user input is passed into the `X-HTTP-Method-Override` header.

## Recommendation

Update to version 2.3.10 or later

Affected Packages

npm method-override

Affected versions: 1.0.2 (fixed in 2.3.10)

npm method-override

Affected versions: 2.0.0 (fixed in 2.3.10)

Related CVEs

CVE-2017-16136

Key Information

GHSA ID

GHSA-qx2f-477c-35rq

Published

July 24, 2018 8:06 PM

Last Modified

September 11, 2023 6:24 PM

CVSS Score

7.5 /10

Primary Ecosystem

npm

Primary Package

method-override

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 2, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.