HIGH 7.5

GHSA-r6ch-mqf9-qc9w

Regular Expression Denial of Service in Headers

Details

### Impact The `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function.

### Patches

This vulnerability was patched in v5.19.1.

### Workarounds There is no workaround. Please update to an unaffected version.

### References

* https://hackerone.com/bugs?report_id=1784449

### Credits

Carter Snook reported this vulnerability.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / undici

Introduced in: 0 Fixed in: 5.19.1

Fix npm install undici@5.19.1

References

https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2023-24807 [ADVISORY]
https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf [WEB]
https://github.com/nodejs/undici [PACKAGE]
https://github.com/nodejs/undici/releases/tag/v5.19.1 [WEB]
https://hackerone.com/bugs?report_id=1784449 [WEB]