CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
54.3%
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the
Headers.set()
and Headers.append()
methods are vulnerable to Regular
Expression Denial of Service (ReDoS) attacks when untrusted values are
passed into the functions. This is due to the inefficient regular
expression used to normalize the values in the headerValueNormalize()
utility function. This vulnerability was patched in v5.19.1. No known
workarounds are available.
github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf
github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf (v5.19.1)
github.com/nodejs/undici/releases/tag/v5.19.1
github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w
hackerone.com/bugs?report_id=1784449
launchpad.net/bugs/cve/CVE-2023-24807
nvd.nist.gov/vuln/detail/CVE-2023-24807
security-tracker.debian.org/tracker/CVE-2023-24807
www.cve.org/CVERecord?id=CVE-2023-24807