Carter Snook

**Name of the Vulnerable Software and Affected Versions** word-wrap versions all **Description** The issue is related to the use of a regular expression with inefficient computational complexity in the word-wrap module of the Node.js platform. This can be exploited by a remote attacker to cause a denial of service. The vulnerability is due to the usage of an insecure regular expression within the `result` variable. **Recommendations** For all versions, consider disabling the use of the word-wrap module until a secure version is available. As a temporary workaround, restrict the input to the `result` variable to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Undici versions prior to 5.19.1 **Description** Undici is an HTTP/1.1 client for Node.js. The `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. **Recommendations** For versions prior to 5.19.1, update to version 5.19.1 or later to resolve the issue. As a temporary workaround, consider restricting the input to the `Headers.set()` and `Headers.append()` methods to trusted values only, until a patch is applied. Additionally, be cautious when using the `headerValueNormalize()` utility function with untrusted input.

**Name of the Vulnerable Software and Affected Versions** http-cache-semantics versions prior to 4.1.1 **Description** The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library. This leads to a Denial of Service due to an Inefficient Regular Expression Complexity. **Recommendations** For versions prior to 4.1.1, update to version 4.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the library until a patch is applied. Avoid using the library to read cache policies from requests with potentially malicious header values until the issue is resolved.

**Nome do software vulnerável e versões afetadas** Versões do cookiejar anteriores à 2.1.4 **Descrição** O problema está relacionado à função `Cookie.parse` no pacote cookiejar, que utiliza uma expressão regular insegura. Isso pode levar a um ataque de negação de serviço por expressão regular (ReDoS) se entradas não confiáveis forem passadas para valores de cookies ou se houver tentativa de analisá-las a partir de cabeçalhos de solicitação. Como resultado, os aplicativos podem ficar paralisados por longos períodos. **Recomendações** Para versões anteriores à 2.1.4, atualize para a versão 2.1.4 ou posterior para resolver o problema. Como solução alternativa temporária, considere restringir o uso da função `Cookie.parse` para minimizar o risco de exploração. Evite passar entradas não confiáveis para valores de cookies ou tentar analisar cabeçalhos de solicitação até que o problema seja resolvido.