1. Home
  2. Vulnerabilities
  3. CVE-2023-24807

CVE-2023-24807

CVSS v3.1 7.5 (High)
75% Progress
EPSS 0.15 % (51th)
0.15% Progress
Affected Products 1
Advisories 21
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software Tools, Exploits & PoC Graph Web & Social Timeline

Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize() utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.

Weaknesses
CWE-1333
Inefficient Regular Expression Complexity
CWE-20
Improper Input Validation
CVE Status
PUBLISHED
CNA
GitHub, Inc.
Published Date
2023-02-16 18:15:12
(19 months ago)
Updated Date
2023-02-24 18:38:57
(19 months ago)

Affected Products

Nodejs

Configuration #1

    CPE23 From Up To
  Nodejs Undici for Node.js prior 5.19.1 version cpe:2.3:a:nodejs:undici::*:*:*:*:node.js < 5.19.1