CVE-2023-24807

NameCVE-2023-24807
DescriptionUndici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1031418

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-undici (PTS)bookworm, bookworm (security)5.15.0+dfsg1+~cs20.10.9.3-1+deb12u3fixed
sid, trixie5.28.2+dfsg1+~cs23.11.12.3-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-undicisourcebookworm5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1
node-undicisource(unstable)5.19.1+dfsg1+~cs20.10.9.5-11031418

Notes

https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w
https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf (v5.19.1)

Search for package or bug name: Reporting problems