CVE-2023-24807

Name	CVE-2023-24807
Description	Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1031418

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
node-undici (PTS)	bookworm	5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4	fixed
	bookworm (security)	5.15.0+dfsg1+~cs20.10.9.3-1+deb12u3	fixed
	sid, trixie	5.28.4+dfsg1+~cs23.12.11-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
node-undici	source	bookworm	5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1
node-undici	source	(unstable)	5.19.1+dfsg1+~cs20.10.9.5-1			1031418

Notes

https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w
https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf (v5.19.1)