GHSA-r6ch-mqf9-qc9w

Source

https://github.com/advisories/GHSA-r6ch-mqf9-qc9w

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-r6ch-mqf9-qc9w/GHSA-r6ch-mqf9-qc9w.json

Aliases

• CVE-2023-24807

Published

2023-02-16T20:46:10Z

Modified

2023-11-08T04:11:48.635999Z

Details

Impact

The Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize() utility function.

Patches

This vulnerability was patched in v5.19.1.

Workarounds

There is no workaround. Please update to an unaffected version.

References

• https://hackerone.com/bugs?report_id=1784449

Credits

Carter Snook reported this vulnerability.

References

• https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w
• https://nvd.nist.gov/vuln/detail/CVE-2023-24807
• https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf
• https://github.com/nodejs/undici
• https://github.com/nodejs/undici/releases/tag/v5.19.1
• https://hackerone.com/bugs?report_id=1784449