CVE-2023-24807
HIGHUndici < 5.19.1 - Regular Expression Denial of Service via Header Value Normalization
Title source: llmDescription
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.
References (5)
Core 5
Core References
Vendor Advisory
https://security.netapp.com/advisory/ntap-20230324-0010/
Vendor Advisory x_refsource_confirm
https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w
Patch x_refsource_misc
https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf
Release Notes x_refsource_misc
https://github.com/nodejs/undici/releases/tag/v5.19.1
Permissions Required, Third Party Advisory x_refsource_misc
https://hackerone.com/bugs?report_id=1784449
Scores
CVSS v3
7.5
EPSS
0.0132
EPSS Percentile
66.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-1333
CWE-20
Status
published
Products (2)
nodejs/undici
< 5.19.1
npm/undici
0 - 5.19.1npm
Published
Feb 16, 2023
Tracked Since
Feb 18, 2026