CVE-2023-24807
Undici vulnerable to Regular Expression Denial of Service in Headers
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs. Issues addressed include HTTP request smuggling, buffer overflow, bypass, crlf injection, and denial of service vulnerabilities.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2023-01-30 CVE Reserved
- 2023-02-16 CVE Published
- 2025-03-10 CVE Updated
- 2025-04-15 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-1333: Inefficient Regular Expression Complexity
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| https://github.com/nodejs/undici/releases/tag/v5.19.1 | Release Notes |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf | 2023-02-24 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w | 2023-02-24 | |
| https://access.redhat.com/security/cve/CVE-2023-24807 | 2023-10-09 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2172204 | 2023-10-09 |