{ "schema_version": "1.4.0", "id": "GHSA-r6ch-mqf9-qc9w", "modified": "2023-02-16T20:46:10Z", "published": "2023-02-16T20:46:10Z", "aliases": [ "CVE-2023-24807" ], "summary": "Regular Expression Denial of Service in Headers", "details": "### Impact\nThe `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function.\n\n### Patches\n\nThis vulnerability was patched in v5.19.1.\n\n### Workarounds\nThere is no workaround. Please update to an unaffected version.\n\n### References\n\n* https://hackerone.com/bugs?report_id=1784449\n\n### Credits\n\nCarter Snook reported this vulnerability.\n", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "affected": [ { "package": { "ecosystem": "npm", "name": "undici" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "5.19.1" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24807" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf" }, { "type": "PACKAGE", "url": "https://github.com/nodejs/undici" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/releases/tag/v5.19.1" }, { "type": "WEB", "url": "https://hackerone.com/bugs?report_id=1784449" } ], "database_specific": { "cwe_ids": [ "CWE-1333" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-02-16T20:46:10Z", "nvd_published_at": "2023-02-16T18:15:00Z" } }