VYPR
High severityNVD Advisory· Published Feb 16, 2023· Updated Mar 10, 2025

Undici vulnerable to Regular Expression Denial of Service in Headers

CVE-2023-24807

Description

Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize() utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
undicinpm
< 5.19.15.19.1

Affected products

25

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.