CVE-2023-24807

CVE Details

Release Date:

2023-02-16

Description

Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize() utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.

See more information about CVE-2023-24807 from MITRE CVE dictionary and NIST NVD

CVSS v3.0 metrics

NOTE: The following CVSS v3.0 metrics and score provided are preliminary and subject to review.

Base Score:	7.5	Base Metrics:	AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Access Vector:	Network	Attack Complexity:	Low
Privileges Required:	None	User Interaction:	None
Scope:	Unchanged	Confidentiality Impact:	None
Integrity Impact:	None	Availability Impact:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 8 (nodejs)	ELSA-2023-1582	2023-04-05
Oracle Linux version 8 (nodejs)	ELSA-2023-1583	2023-04-05
Oracle Linux version 8 (nodejs-nodemon)	ELSA-2023-1582	2023-04-05
Oracle Linux version 8 (nodejs-nodemon)	ELSA-2023-1583	2023-04-05
Oracle Linux version 8 (nodejs-packaging)	ELSA-2023-1582	2023-04-05
Oracle Linux version 8 (nodejs-packaging)	ELSA-2023-1583	2023-04-05
Oracle Linux version 9 (nodejs)	ELSA-2023-2654	2023-05-17
Oracle Linux version 9 (nodejs)	ELSA-2023-2655	2023-05-17
Oracle Linux version 9 (nodejs-nodemon)	ELSA-2023-2654	2023-05-17
Oracle Linux version 9 (nodejs-nodemon)	ELSA-2023-2655	2023-05-17
Oracle Linux version 9 (nodejs-packaging)	ELSA-2023-2654	2023-05-17

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team