GHSA-r6ch-mqf9-qc9w

Suggest an improvement
Source
https://github.com/advisories/GHSA-r6ch-mqf9-qc9w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-r6ch-mqf9-qc9w/GHSA-r6ch-mqf9-qc9w.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-r6ch-mqf9-qc9w
Aliases
Published
2023-02-16T20:46:10Z
Modified
2023-11-01T05:01:19.382132Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Regular Expression Denial of Service in Headers
Details

Impact

The Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize() utility function.

Patches

This vulnerability was patched in v5.19.1.

Workarounds

There is no workaround. Please update to an unaffected version.

References

  • https://hackerone.com/bugs?report_id=1784449

Credits

Carter Snook reported this vulnerability.

References

Affected packages

npm / undici

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.19.1