GHSA-r6ch-mqf9-qc9w
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r6ch-mqf9-qc9w
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-r6ch-mqf9-qc9w/GHSA-r6ch-mqf9-qc9w.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-r6ch-mqf9-qc9w
- Aliases
- Published
- 2023-02-16T20:46:10Z
- Modified
- 2023-11-08T04:11:48.635999Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Regular Expression Denial of Service in Headers
- Details
-
Impact
The
Headers.set()andHeaders.append()methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in theheaderValueNormalize()utility function.Patches
This vulnerability was patched in v5.19.1.
Workarounds
There is no workaround. Please update to an unaffected version.
References
- https://hackerone.com/bugs?report_id=1784449
Credits
Carter Snook reported this vulnerability.
- References
-
- https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w
- https://nvd.nist.gov/vuln/detail/CVE-2023-24807
- https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf
- https://github.com/nodejs/undici
- https://github.com/nodejs/undici/releases/tag/v5.19.1
- https://hackerone.com/bugs?report_id=1784449
Affected packages
npm / undici
Package
- Name
- undici
- View open source insights on deps.dev
- Purl
- pkg:npm/undici