Published: 16/02/2023 Updated: 24/02/2023

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 0

Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.

Vulnerable Product	Search on Vulmon	Subscribe to Product
nodejs undici

Debian Bug report logs - #1031418 node-undici: CVE-2023-23936 CVE-2023-24807 Package: src:node-undici; Maintainer for src:node-undici is Debian Javascript Maintainers <pkg-javascript-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 16 Feb 2023 21:45:02 UTC Severity: imp ...

Synopsis Moderate: nodejs and nodejs-nodemon security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for nodejs and nodejs-nodemon is now available for Red Hat Enterprise Linux 9 ...

Synopsis Moderate: nodejs:18 security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8Red Hat Product Secu ...

Synopsis Important: nodejs security, bug fix, and enhancement update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for nodejs is now available for Red Hat Enterprise Linux 90 Extended Update SupportRed Hat P ...

Synopsis Moderate: nodejs:16 security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8Red Hat Product Secu ...

DescriptionThe MITRE CVE dictionary describes this issue as: Undici is an HTTP/11 client for Nodejs Prior to version 5191, the `Headersset()` and `Headersappend()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions This is due to the inefficient regular expressi ...

Hitachi Ops Center Analyzer contains the following vulnerabilities: CVE-2022-43548, CVE-2023-23918, CVE-2023-23919, CVE-2023-23920, CVE-2023-23936, CVE-2023-24807, CVE-2023-30581, CVE-2023-30585, CVE-2023-30588, CVE-2023-30589, CVE-2023-30590 Affected products and versions are listed below Please upgrade your version to the appropriate versio ...

CWE-1333 https://github.com/nodejs/undici/releases/tag/v5.19.1 https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w https://hackerone.com/bugs?report_id=1784449 https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031418 https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2023-24807

CVE-2023-24807

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect