CVE-2023-24807: Undici vulnerable to Regular Expression Denial of Service in Headers
First published: Thu Feb 16 2023(Updated: )
Node.js is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the Headers.set() and Headers.append() methods in the fetch API. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/nodejs | <18-9020020230327152102.rhel9 | 18-9020020230327152102.rhel9 |
| redhat/nodejs | <1:16.19.1-1.el9_2 | 1:16.19.1-1.el9_2 |
| redhat/nodejs | <1:16.20.2-1.el9_0 | 1:16.20.2-1.el9_0 |
| Nodejs Undici | <5.19.1 | |
| IBM Cognos Dashboards on Cloud Pak for Data | <=4.7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/247695
- https://www.ibm.com/support/pages/node/7031207 (Advisory)
- https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf
- https://github.com/nodejs/undici/releases/tag/v5.19.1
- https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w
- https://hackerone.com/bugs?report_id=1784449
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172205
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172207
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172206
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172208
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172209
- https://access.redhat.com/errata/RHSA-2023:1582
- https://access.redhat.com/errata/RHSA-2023:1583
- https://access.redhat.com/errata/RHSA-2023:2654
- https://access.redhat.com/errata/RHSA-2023:2655
- https://access.redhat.com/security/cve/cve-2023-24807
- https://access.redhat.com/errata/RHSA-2023:5533
- https://bugzilla.redhat.com/show_bug.cgi?id=2172204
- https://www.cve.org/CVERecord?id=CVE-2023-24807 https://nvd.nist.gov/vuln/detail/CVE-2023-24807
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2023-24807?
CVE-2023-24807 is a vulnerability in Node.js that allows for denial of service attacks due to regular expression denial of service (ReDoS).
How does CVE-2023-24807 affect Node.js?
CVE-2023-24807 affects Node.js by making the `Headers.set()` and `Headers.append()` methods vulnerable to ReDoS attacks when untrusted values are passed into the functions.
What is the severity level of CVE-2023-24807?
CVE-2023-24807 has a severity level of high with a CVSS score of 7.5.
How can I fix CVE-2023-24807?
To fix CVE-2023-24807, you should update your Node.js version to 19.6.1 or higher.
Where can I find more information about CVE-2023-24807?
You can find more information about CVE-2023-24807 on the Red Hat Bugzilla website: [link](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2172205)
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/remedy
- agent/author
- agent/weakness
- agent/severity
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-24807
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/event
- agent/description
- agent/tags
- collector/ibm-support
- source/IBM
- package-manager/redhat
- vendor/nodejs
- canonical/nodejs undici
- vendor/ibm
- canonical/ibm cognos dashboards on cloud pak for data
- version/ibm cognos dashboards on cloud pak for data/4.7.0