### ImpactThe `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function.### PatchesThis vulnerability was patched in v5.19.1.### WorkaroundsThere is no workaround. Please update to an unaffected version.### References* https://hackerone.com/bugs?report_id=1784449### CreditsCarter Snook reported this vulnerability.