CVE-2023-24807

HIGH

Undici <5.19.1 - ReDoS

Title source: llm

Description

Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.

References (5)

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20230324-0010/

[Vendor Advisory] https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w

[Patch] https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf

View Patch ZIP pw:eip

[Release Notes] https://github.com/nodejs/undici/releases/tag/v5.19.1

[Permissions Required, Third Party Advisory] https://hackerone.com/bugs?report_id=1784449

Scores

CVSS v3 7.5

EPSS 0.0031

EPSS Percentile 53.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-1333 CWE-20

Status published

Products (2)

nodejs/undici < 5.19.1

npm/undici 0 - 5.19.1npm

Published Feb 16, 2023

Tracked Since Feb 18, 2026