High severityNVD Advisory· Published Feb 16, 2023· Updated Mar 10, 2025
Undici vulnerable to Regular Expression Denial of Service in Headers
CVE-2023-24807
Description
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize() utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
undicinpm | < 5.19.1 | 5.19.1 |
Affected products
25- ghsa-coords24 versionspkg:npm/undicipkg:rpm/almalinux/nodejspkg:rpm/almalinux/nodejs-develpkg:rpm/almalinux/nodejs-docspkg:rpm/almalinux/nodejs-full-i18npkg:rpm/almalinux/nodejs-libspkg:rpm/almalinux/nodejs-nodemonpkg:rpm/almalinux/nodejs-packagingpkg:rpm/almalinux/nodejs-packaging-bundlerpkg:rpm/almalinux/npmpkg:rpm/opensuse/nodejs16&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/nodejs18&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/nodejs18&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/nodejs19&distro=openSUSE%20Tumbleweedpkg:rpm/suse/nodejs16&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/nodejs16&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/nodejs16&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/nodejs16&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs16&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP4pkg:rpm/suse/nodejs16&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/nodejs16&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/nodejs16&distro=SUSE%20Manager%20Server%204.2pkg:rpm/suse/nodejs18&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs18&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP4
< 5.19.1+ 23 more
- (no CPE)range: < 5.19.1
- (no CPE)range: < 1:16.19.1-1.module_el8.7.0+3496+a59a3324
- (no CPE)range: < 1:16.19.1-1.module_el8.7.0+3496+a59a3324
- (no CPE)range: < 1:16.19.1-1.module_el8.7.0+3496+a59a3324
- (no CPE)range: < 1:16.19.1-1.module_el8.7.0+3496+a59a3324
- (no CPE)range: < 1:16.19.1-1.el9_2
- (no CPE)range: < 2.0.20-3.module_el8.7.0+3496+a59a3324
- (no CPE)range: < 25-1.module_el8.5.0+2605+45d748af
- (no CPE)range: < 2021.06-4.module_el8.7.0+3343+ea2b7901
- (no CPE)range: < 1:8.19.3-1.16.19.1.1.module_el8.7.0+3496+a59a3324
- (no CPE)range: < 16.19.1-150400.3.15.1
- (no CPE)range: < 18.14.2-150400.9.6.2
- (no CPE)range: < 18.14.2-1.1
- (no CPE)range: < 19.7.0-1.1
- (no CPE)range: < 16.19.1-150300.7.18.1
- (no CPE)range: < 16.19.1-150300.7.18.1
- (no CPE)range: < 16.19.1-150300.7.18.1
- (no CPE)range: < 16.19.1-8.24.1
- (no CPE)range: < 16.19.1-150400.3.15.1
- (no CPE)range: < 16.19.1-150300.7.18.1
- (no CPE)range: < 16.19.1-150300.7.18.1
- (no CPE)range: < 16.19.1-150300.7.18.1
- (no CPE)range: < 18.14.2-8.6.2
- (no CPE)range: < 18.14.2-150400.9.6.2
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-r6ch-mqf9-qc9wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-24807ghsaADVISORY
- github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdfghsax_refsource_MISCWEB
- github.com/nodejs/undici/releases/tag/v5.19.1ghsax_refsource_MISCWEB
- github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9wghsax_refsource_CONFIRMWEB
- hackerone.com/bugsghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.