CVE-2023-24807
HIGH7.5EPSS 0.30%Regular Expression Denial of Service in Headers
Published: 2/16/2023Modified: 11/8/2023
Description
### Impact The `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. ### Patches This vulnerability was patched in v5.19.1. ### Workarounds There is no workaround. Please update to an unaffected version. ### References * https://hackerone.com/bugs?report_id=1784449 ### Credits Carter Snook reported this vulnerability.
Affected packages (3)
- Alpine/nodejsfrom 0, < 16.19.1-r0
- Debian/node-undicifrom 0, < 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1
- npm/undicifrom 0, < 5.19.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-24807
- ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2023-24807
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2023-24807
- PATCHhttps://github.com/nodejs/undici
- WEBhttps://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf
- WEBhttps://github.com/nodejs/undici/releases/tag/v5.19.1
- WEBhttps://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w
- WEBhttps://hackerone.com/bugs?report_id=1784449