Intel

AIKIDO-2026-293375

@middy/http-response-serializer is vulnerable to Regular Expression Denial of Service (ReDoS)

Regular Expression Denial of Service (ReDoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 25, 2026

54

Medium Risk

This Affects:

JS@middy/http-response-serializer
1.0.0 - 7.6.7
Fixed in 7.6.8
Are you affected? Scan for Free

TL;DR

The http-response-serializer middleware selects a response serializer by testing request-negotiated media types against configured serializer regular expressions and reflects the matched media type into the Content-Type response header. It does not bound the media-type length or validate its grammar, so an attacker who controls the negotiated media types can supply very long or crafted values. This can drive catastrophic backtracking in serializer regular expressions and echo attacker-controlled strings into the response header. The fix caps media-type length at 128 characters and validates each value against a media-type grammar before matching or reflecting it.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and responses are serialized based on untrusted negotiated media types.

Background info

@middy/http-response-serializer is vulnerable to Regular Expression Denial of Service (ReDoS) in versions 1.0.0 - 7.6.7.

How to fix this

Upgrade the @middy/http-response-serializer library to the patch version.