CVE-2023-24807
Regular Expression Denial of Service in Headers
7.5
HIGH
CVSS 3.1
EPSS 0.30%
Description
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.
How to fix CVE-2023-24807
To remediate CVE-2023-24807, upgrade the affected package to a fixed version below.
- —upgrade to 16.19.1-r0 or later
- —upgrade to 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1 or later
- —upgrade to 5.19.1 or later
Is CVE-2023-24807 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 16.19.1-r0
- from 0, < 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1
- from 0, < 5.19.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |