Home > Vulnerability Database > CVE-2023-24807

Mend.io Vulnerability Database

CVE-2023-24807

Good to know:

Date: February 16, 2023

Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.

Language: JS

Severity Score

7.5

Related Resources (8)

Url: https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w

Url: https://github.com/nodejs/undici/releases/tag/v5.19.1

Url: https://access.redhat.com/security/cve/CVE-2023-24807

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-24807

Url: https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf

Url: https://hackerone.com/bugs?report_id=1784449

Url: https://security-tracker.debian.org/tracker/CVE-2023-24807

Url: https://www.mend.io/vulnerability-database/CVE-2023-24807

Severity Score

7.5

Weakness Type (CWE)

Inefficient Regular Expression Complexity

CWE-1333

Top Fix

Upgrade Version

Upgrade to version undici - 5.19.1

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-24807

Good to know:

Date: February 16, 2023

Language: JS

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?