Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-24807

Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.

Published

2023-02-16T18:15:12.340

Last Modified

2024-11-21T07:48:26.040

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Secondary
CWE-20
Type: Primary
CWE-1333

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nodejs	undici	< 5.19.1	Yes

References

https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf Patch ([email protected])
https://github.com/nodejs/undici/releases/tag/v5.19.1 Release Notes ([email protected])
https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w Vendor Advisory ([email protected])
https://hackerone.com/bugs?report_id=1784449 Permissions Required, Third Party Advisory ([email protected])
https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nodejs/undici/releases/tag/v5.19.1 Release Notes (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/bugs?report_id=1784449 Permissions Required, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20230324-0010/ (af854a3a-2127-422b-91ae-364da2661108)