Carter Snook

**Name of the Vulnerable Software and Affected Versions** word-wrap versions all **Description** The issue is related to the use of a regular expression with inefficient computational complexity in the word-wrap module of the Node.js platform. This can be exploited by a remote attacker to cause a denial of service. The vulnerability is due to the usage of an insecure regular expression within the `result` variable. **Recommendations** For all versions, consider disabling the use of the word-wrap module until a secure version is available. As a temporary workaround, restrict the input to the `result` variable to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Undici versions prior to 5.19.1 **Description** Undici is an HTTP/1.1 client for Node.js. The `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. **Recommendations** For versions prior to 5.19.1, update to version 5.19.1 or later to resolve the issue. As a temporary workaround, consider restricting the input to the `Headers.set()` and `Headers.append()` methods to trusted values only, until a patch is applied. Additionally, be cautious when using the `headerValueNormalize()` utility function with untrusted input.

**Name of the Vulnerable Software and Affected Versions** http-cache-semantics versions prior to 4.1.1 **Description** The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library. This leads to a Denial of Service due to an Inefficient Regular Expression Complexity. **Recommendations** For versions prior to 4.1.1, update to version 4.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the library until a patch is applied. Avoid using the library to read cache policies from requests with potentially malicious header values until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** cookiejar versions prior to 2.1.4 **Description** The issue is related to the `Cookie.parse` function in the cookiejar package, which uses an insecure regular expression. This can lead to a Regular Expression Denial of Service (ReDoS) if untrusted input is passed to cookie values or attempted to parse from request headers. As a result, applications could be stalled for extended periods of time. **Recommendations** For versions prior to 2.1.4, update to version 2.1.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `Cookie.parse` function to minimize the risk of exploitation. Avoid passing untrusted input to cookie values or attempting to parse from request headers until the issue is resolved.