Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.
References
Link | Resource |
---|---|
https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf | Patch |
https://github.com/nodejs/undici/releases/tag/v5.19.1 | Release Notes |
https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w | Vendor Advisory |
https://hackerone.com/bugs?report_id=1784449 | Permissions Required Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-02-16T17:30:19.923Z
Updated: 2023-02-16T17:30:19.923Z
Reserved: 2023-01-30T14:43:33.703Z
Link: CVE-2023-24807
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-02-16T18:15:12.340
Modified: 2023-02-24T18:38:57.073
Link: CVE-2023-24807
JSON object: View
Redhat Information
No data.