Undici vulnerable to Regular Expression Denial of Service in Headers
CVE-2023-24807

7.5HIGH

Key Information:

Vendor: Nodejs
Status: Undici
Vendor: CVE Published:; 16 February 2023

What is CVE-2023-24807?

The Undici HTTP/1.1 client for Node.js is vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted input is used with the Headers.set() and Headers.append() methods. This vulnerability arises from the inefficiencies in the regular expression utilized in the headerValueNormalize() utility function. The issue has been addressed in version 5.19.1 of Undici. To mitigate the risk, users are strongly advised to upgrade to this version immediately, as no workarounds are available to rectify the vulnerability without an update.

Affected Version(s)

undici < 5.19.1

References

https://github.com/nodejs/undici/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/nodejs/undici/commit/f2324e549943f0b09...

x_refsource_MISC

https://github.com/nodejs/undici/releases/tag/v5.19.1

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 16, 2023
Vulnerability Reserved
Jan 30, 2023

Nodejs

What is CVE-2023-24807?

Affected Version(s)

References

CVSS V3.1

Timeline