CVE-2023-24807: Regular Expression Denial of Service in Headers
(updated )
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set()
and Headers.append()
methods is vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize()
utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.
References
Detect and mitigate CVE-2023-24807 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →