CVE-2023-24807
HIGH7.5EPSS 0.30%Regular Expression Denial of Service in Headers
發布日:2023/2/16修改日:2023/11/8
描述
### Impact The `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. ### Patches This vulnerability was patched in v5.19.1. ### Workarounds There is no workaround. Please update to an unaffected version. ### References * https://hackerone.com/bugs?report_id=1784449 ### Credits Carter Snook reported this vulnerability.
受影響套件(3)
- Alpine/nodejsfrom 0, < 16.19.1-r0
- Debian/node-undicifrom 0, < 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1
- npm/undicifrom 0, < 5.19.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
參考連結(8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-24807
- ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2023-24807
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2023-24807
- PATCHhttps://github.com/nodejs/undici
- WEBhttps://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf
- WEBhttps://github.com/nodejs/undici/releases/tag/v5.19.1
- WEBhttps://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w
- WEBhttps://hackerone.com/bugs?report_id=1784449