7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
48.0%
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the
Headers.set()
and Headers.append()
methods are vulnerable to Regular
Expression Denial of Service (ReDoS) attacks when untrusted values are
passed into the functions. This is due to the inefficient regular
expression used to normalize the values in the headerValueNormalize()
utility function. This vulnerability was patched in v5.19.1. No known
workarounds are available.
github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf
github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf (v5.19.1)
github.com/nodejs/undici/releases/tag/v5.19.1
github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w
hackerone.com/bugs?report_id=1784449
launchpad.net/bugs/cve/CVE-2023-24807
nvd.nist.gov/vuln/detail/CVE-2023-24807
security-tracker.debian.org/tracker/CVE-2023-24807
www.cve.org/CVERecord?id=CVE-2023-24807
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
48.0%