CVE-2023-24807

Name
CVE-2023-24807
Description
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/nodejs/undici/releases/tag/v5.19.1
MISC https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w
MISC https://hackerone.com/bugs?report_id=1784449
MISC https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:* nodejs >= None < 5.19.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status