View all vulnerabilities

CVE-2023-24807

Regular Expression Denial of Service in Headers

Description

### Impact
The `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function.


### Patches

This vulnerability was patched in v5.19.1.

### Workarounds
There is no workaround. Please update to an unaffected version.

### References

* https://hackerone.com/bugs?report_id=1784449

### Credits

Carter Snook reported this vulnerability.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Vulnerability Details
Score
7.5
Score Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Versions
undici < 5.19.1
Severity
High
High
High
Ecosystem
JavaScript
Publish Date
February 16, 2023
Modified Date
November 7, 2023