CVE-2023-24807: Regular Expression Denial of Service in Headers

February 16, 2023 (updated February 24, 2023)

Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set() and Headers.append() methods is vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize() utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.

References

github.com/advisories/GHSA-r6ch-mqf9-qc9w
github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf
github.com/nodejs/undici/releases/tag/v5.19.1
github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w
hackerone.com/bugs?report_id=1784449
nvd.nist.gov/vuln/detail/CVE-2023-24807

Detect and mitigate CVE-2023-24807 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →