#VU72404 Incorrect Regular Expression in undici


Published: 2023-02-20

Vulnerability identifier: #VU72404

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-24807

CWE-ID: CWE-185

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
undici
Server applications / File servers (FTP/HTTP)

Vendor: Node.js

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when user-supplied input within the `Headers.set()` and `Headers.append()` methods. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

undici: 1.0.0 - 5.19.0

External links
http://github.com/nodejs/undici/releases/tag/v5.19.1
http://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w
http://hackerone.com/bugs?report_id=1784449
http://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management
Multiple vulnerabilities in IBM Cognos Dashboards on Cloud Pak for Data
Red Hat Enterprise Linux 9.0 Extended Update Support update for nodejs
Fedora 37 update for nodejs16, nodejs18, nodejs20
Fedora 38 update for nodejs16, nodejs18, nodejs20
Fedora 38 update for nodejs16, nodejs18, nodejs20
Fedora 37 update for nodejs16, nodejs18, nodejs20
Fedora 37 update for nodejs16
Fedora 38 update for nodejs16
Multiple vulnerabilities in IBM App Connect Enterprise Certified Container