High severityNVD Advisory· Published Feb 16, 2023· Updated Mar 10, 2025
Undici vulnerable to Regular Expression Denial of Service in Headers
CVE-2023-24807
Description
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize() utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
undicinpm | < 5.19.1 | 5.19.1 |
Affected products
1Patches
1f2324e549943Merge pull request from GHSA-r6ch-mqf9-qc9w
2 files changed · +19 −5
lib/fetch/headers.js+6 −4 modified@@ -24,10 +24,12 @@ function headerValueNormalize (potentialValue) { // To normalize a byte sequence potentialValue, remove // any leading and trailing HTTP whitespace bytes from // potentialValue. - return potentialValue.replace( - /^[\r\n\t ]+|[\r\n\t ]+$/g, - '' - ) + + // Trimming the end with `.replace()` and a RegExp is typically subject to + // ReDoS. This is safer and faster. + let i = potentialValue.length + while (/[\r\n\t ]/.test(potentialValue.charAt(--i))); + return potentialValue.slice(0, i + 1).replace(/^[\r\n\t ]+/, '') } function fill (headers, object) {
test/fetch/headers.js+13 −1 modified@@ -666,6 +666,18 @@ tap.test('invalid headers', (t) => { t.end() }) +tap.test('headers that might cause a ReDoS', (t) => { + t.doesNotThrow(() => { + // This test will time out if the ReDoS attack is successful. + const headers = new Headers() + const attack = 'a' + '\t'.repeat(500_000) + '\ta' + headers.append('fhqwhgads', attack) + }) + + t.end() +}) + + tap.test('Headers.prototype.getSetCookie', (t) => { t.test('Mutating the returned list does not affect the set-cookie list', (t) => { const h = new Headers([ @@ -682,4 +694,4 @@ tap.test('Headers.prototype.getSetCookie', (t) => { }) t.end() -}) +}) \ No newline at end of file
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-r6ch-mqf9-qc9wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-24807ghsaADVISORY
- github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdfghsax_refsource_MISCWEB
- github.com/nodejs/undici/releases/tag/v5.19.1ghsax_refsource_MISCWEB
- github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9wghsax_refsource_CONFIRMWEB
- hackerone.com/bugsghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.