PT-2023-19790 · Node.Js+6 · Undici+6

Carter Snook

·

Published

2023-02-16

·

Updated

2026-05-18

·

CVE-2023-24807

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Undici versions prior to 5.19.1
Description Undici is an HTTP/1.1 client for Node.js. The Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize() utility function.
Recommendations For versions prior to 5.19.1, update to version 5.19.1 or later to resolve the issue. As a temporary workaround, consider restricting the input to the Headers.set() and Headers.append() methods to trusted values only, until a patch is applied. Additionally, be cautious when using the headerValueNormalize() utility function with untrusted input.

Exploit

Fix

DoS

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-1333

Related Identifiers

ALSA-2023:1582
ALSA-2023:1583
ALSA-2023:2654
ALSA-2023:2655
ALT-PU-2023-1431
ALT-PU-2023-1494
ALT-PU-2023-1496
AZL-13585
CESA-2023_1582
CESA-2023_1583
CLEANSTART-2026-BD71263
CLEANSTART-2026-IS74202
CLEANSTART-2026-JR35772
CLEANSTART-2026-JY06700
CLEANSTART-2026-KN34553
CLEANSTART-2026-KZ45320
CLEANSTART-2026-LJ44720
CLEANSTART-2026-LN12820
CLEANSTART-2026-TX00223
CLEANSTART-2026-WI75198
CVE-2023-24807
GHSA-R6CH-MQF9-QC9W
OPENSUSE-SU-2024:12725-1
OPENSUSE-SU-2024:12726-1
RHSA-2023:1582
RHSA-2023:1583
RHSA-2023:2654
RHSA-2023:2655
RHSA-2023:5533
RHSA-2023_1582
RHSA-2023_1583
RHSA-2023_2654
RHSA-2023_2655
RLSA-2023:1582
RLSA-2023:1583
RLSA-2023:2655
SUSE-SU-2023:0608-1
SUSE-SU-2023:0609-1
SUSE-SU-2023:0673-1
SUSE-SU-2023:0715-1
SUSE-SU-2023:0738-1

Affected Products

Alt Linux
Almalinux
Centos
Red Hat
Rocky Linux
Suse
Undici