Fluid Attacks Database

Description

Regular Expression Denial of Service in Headers

Impact

The Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize() utility function.

Patches

This vulnerability was patched in v5.19.1.

Workarounds

There is no workaround. Please update to an unaffected version.

References

https://hackerone.com/bugs?report_id=1784449

Credits

Carter Snook reported this vulnerability.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	undici	>=0 <5.19.1	5.19.1
alpine v3.15	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.14.1-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =12.15.0-r2 \|\| =12.16.2-r0 \|\| =12.16.3-r0 \|\| =12.16.3-r1 \|\| =12.17.0-r0 \|\| =12.18.0-r0 \|\| =12.18.0-r1 \|\| =12.18.0-r2 \|\| =12.18.2-r0 \|\| =12.18.3-r0 \|\| =12.18.4-r0 \|\| =12.19.0-r0 \|\| =14.15.1-r0 \|\| =14.15.3-r0 \|\| =14.15.3-r1 \|\| =14.15.3-r2 \|\| =14.15.4-r0 \|\| =14.15.5-r0 \|\| =14.16.0-r0 \|\| =14.16.0-r1 \|\| =14.16.1-r0 \|\| =14.16.1-r1 \|\| =14.16.1-r2 \|\| =14.17.0-r0 \|\| =14.17.1-r0 \|\| =14.17.2-r0 \|\| =14.17.3-r0 \|\| =14.17.4-r0 \|\| =14.17.5-r0 \|\| =14.17.6-r0 \|\| =14.17.6-r1 \|\| =14.18.0-r0 \|\| =14.18.1-r0 \|\| =14.18.1-r1 \|\| =16.13.0-r0 \|\| =16.13.1-r0 \|\| =16.13.2-r0 \|\| =16.14.0-r0 \|\| =16.14.2-r0 \|\| =16.16.0-r0 \|\| =16.17.1-r0 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <16.19.1-r0	16.19.1-r0
alpine v3.16	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.14.1-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =12.15.0-r2 \|\| =12.16.2-r0 \|\| =12.16.3-r0 \|\| =12.16.3-r1 \|\| =12.17.0-r0 \|\| =12.18.0-r0 \|\| =12.18.0-r1 \|\| =12.18.0-r2 \|\| =12.18.2-r0 \|\| =12.18.3-r0 \|\| =12.18.4-r0 \|\| =12.19.0-r0 \|\| =14.15.1-r0 \|\| =14.15.3-r0 \|\| =14.15.3-r1 \|\| =14.15.3-r2 \|\| =14.15.4-r0 \|\| =14.15.5-r0 \|\| =14.16.0-r0 \|\| =14.16.0-r1 \|\| =14.16.1-r0 \|\| =14.16.1-r1 \|\| =14.16.1-r2 \|\| =14.17.0-r0 \|\| =14.17.1-r0 \|\| =14.17.2-r0 \|\| =14.17.3-r0 \|\| =14.17.4-r0 \|\| =14.17.5-r0 \|\| =14.17.6-r0 \|\| =14.17.6-r1 \|\| =14.18.0-r0 \|\| =14.18.1-r0 \|\| =14.18.1-r1 \|\| =16.13.0-r0 \|\| =16.13.1-r0 \|\| =16.13.1-r1 \|\| =16.13.2-r0 \|\| =16.13.2-r1 \|\| =16.14.2-r0 \|\| =16.14.2-r1 \|\| =16.15.0-r0 \|\| =16.15.0-r1 \|\| =16.16.0-r0 \|\| =16.17.1-r0 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <16.19.1-r0	16.19.1-r0
alpine v3.17	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.14.1-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =12.15.0-r2 \|\| =12.16.2-r0 \|\| =12.16.3-r0 \|\| =12.16.3-r1 \|\| =12.17.0-r0 \|\| =12.18.0-r0 \|\| =12.18.0-r1 \|\| =12.18.0-r2 \|\| =12.18.2-r0 \|\| =12.18.3-r0 \|\| =12.18.4-r0 \|\| =12.19.0-r0 \|\| =14.15.1-r0 \|\| =14.15.3-r0 \|\| =14.15.3-r1 \|\| =14.15.3-r2 \|\| =14.15.4-r0 \|\| =14.15.5-r0 \|\| =14.16.0-r0 \|\| =14.16.0-r1 \|\| =14.16.1-r0 \|\| =14.16.1-r1 \|\| =14.16.1-r2 \|\| =14.17.0-r0 \|\| =14.17.1-r0 \|\| =14.17.2-r0 \|\| =14.17.3-r0 \|\| =14.17.4-r0 \|\| =14.17.5-r0 \|\| =14.17.6-r0 \|\| =14.17.6-r1 \|\| =14.18.0-r0 \|\| =14.18.1-r0 \|\| =14.18.1-r1 \|\| =16.13.0-r0 \|\| =16.13.1-r0 \|\| =16.13.1-r1 \|\| =16.13.2-r0 \|\| =16.13.2-r1 \|\| =16.14.2-r0 \|\| =16.14.2-r1 \|\| =16.15.0-r0 \|\| =16.15.0-r1 \|\| =16.16.0-r0 \|\| =16.16.0-r1 \|\| =16.17.0-r0 \|\| =16.17.1-r0 \|\| =16.18.0-r0 \|\| =16.18.0-r1 \|\| =18.12.0-r0 \|\| =18.12.1-r0 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <18.14.1-r0	18.14.1-r0
alpine v3.18	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.14.1-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =12.15.0-r2 \|\| =12.16.2-r0 \|\| =12.16.3-r0 \|\| =12.16.3-r1 \|\| =12.17.0-r0 \|\| =12.18.0-r0 \|\| =12.18.0-r1 \|\| =12.18.0-r2 \|\| =12.18.2-r0 \|\| =12.18.3-r0 \|\| =12.18.4-r0 \|\| =12.19.0-r0 \|\| =14.15.1-r0 \|\| =14.15.3-r0 \|\| =14.15.3-r1 \|\| =14.15.3-r2 \|\| =14.15.4-r0 \|\| =14.15.5-r0 \|\| =14.16.0-r0 \|\| =14.16.0-r1 \|\| =14.16.1-r0 \|\| =14.16.1-r1 \|\| =14.16.1-r2 \|\| =14.17.0-r0 \|\| =14.17.1-r0 \|\| =14.17.2-r0 \|\| =14.17.3-r0 \|\| =14.17.4-r0 \|\| =14.17.5-r0 \|\| =14.17.6-r0 \|\| =14.17.6-r1 \|\| =14.18.0-r0 \|\| =14.18.1-r0 \|\| =14.18.1-r1 \|\| =16.13.0-r0 \|\| =16.13.1-r0 \|\| =16.13.1-r1 \|\| =16.13.2-r0 \|\| =16.13.2-r1 \|\| =16.14.2-r0 \|\| =16.14.2-r1 \|\| =16.15.0-r0 \|\| =16.15.0-r1 \|\| =16.16.0-r0 \|\| =16.16.0-r1 \|\| =16.17.0-r0 \|\| =16.17.1-r0 \|\| =16.18.0-r0 \|\| =16.18.0-r1 \|\| =18.12.0-r0 \|\| =18.12.1-r0 \|\| =18.13.0-r0 \|\| =18.14.0-r0 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <18.14.1-r0	18.14.1-r0
alpine v3.19	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.14.1-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =12.15.0-r2 \|\| =12.16.2-r0 \|\| =12.16.3-r0 \|\| =12.16.3-r1 \|\| =12.17.0-r0 \|\| =12.18.0-r0 \|\| =12.18.0-r1 \|\| =12.18.0-r2 \|\| =12.18.2-r0 \|\| =12.18.3-r0 \|\| =12.18.4-r0 \|\| =12.19.0-r0 \|\| =14.15.1-r0 \|\| =14.15.3-r0 \|\| =14.15.3-r1 \|\| =14.15.3-r2 \|\| =14.15.4-r0 \|\| =14.15.5-r0 \|\| =14.16.0-r0 \|\| =14.16.0-r1 \|\| =14.16.1-r0 \|\| =14.16.1-r1 \|\| =14.16.1-r2 \|\| =14.17.0-r0 \|\| =14.17.1-r0 \|\| =14.17.2-r0 \|\| =14.17.3-r0 \|\| =14.17.4-r0 \|\| =14.17.5-r0 \|\| =14.17.6-r0 \|\| =14.17.6-r1 \|\| =14.18.0-r0 \|\| =14.18.1-r0 \|\| =14.18.1-r1 \|\| =16.13.0-r0 \|\| =16.13.1-r0 \|\| =16.13.1-r1 \|\| =16.13.2-r0 \|\| =16.13.2-r1 \|\| =16.14.2-r0 \|\| =16.14.2-r1 \|\| =16.15.0-r0 \|\| =16.15.0-r1 \|\| =16.16.0-r0 \|\| =16.16.0-r1 \|\| =16.17.0-r0 \|\| =16.17.1-r0 \|\| =16.18.0-r0 \|\| =16.18.0-r1 \|\| =18.12.0-r0 \|\| =18.12.1-r0 \|\| =18.13.0-r0 \|\| =18.14.0-r0 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <18.14.1-r0	18.14.1-r0
alpine v3.20	nodejs	=10.13.0-r0 \|\| =10.14.0-r0 \|\| =10.14.1-r0 \|\| =10.14.2-r0 \|\| =10.15.1-r0 \|\| =10.15.3-r0 \|\| =10.16.0-r0 \|\| =10.16.1-r0 \|\| =10.16.2-r0 \|\| =10.16.3-r0 \|\| =12.13.0-r0 \|\| =12.13.0-r1 \|\| =12.13.1-r0 \|\| =12.14.0-r0 \|\| =12.14.1-r0 \|\| =12.15.0-r0 \|\| =12.15.0-r1 \|\| =12.15.0-r2 \|\| =12.16.2-r0 \|\| =12.16.3-r0 \|\| =12.16.3-r1 \|\| =12.17.0-r0 \|\| =12.18.0-r0 \|\| =12.18.0-r1 \|\| =12.18.0-r2 \|\| =12.18.2-r0 \|\| =12.18.3-r0 \|\| =12.18.4-r0 \|\| =12.19.0-r0 \|\| =14.15.1-r0 \|\| =14.15.3-r0 \|\| =14.15.3-r1 \|\| =14.15.3-r2 \|\| =14.15.4-r0 \|\| =14.15.5-r0 \|\| =14.16.0-r0 \|\| =14.16.0-r1 \|\| =14.16.1-r0 \|\| =14.16.1-r1 \|\| =14.16.1-r2 \|\| =14.17.0-r0 \|\| =14.17.1-r0 \|\| =14.17.2-r0 \|\| =14.17.3-r0 \|\| =14.17.4-r0 \|\| =14.17.5-r0 \|\| =14.17.6-r0 \|\| =14.17.6-r1 \|\| =14.18.0-r0 \|\| =14.18.1-r0 \|\| =14.18.1-r1 \|\| =16.13.0-r0 \|\| =16.13.1-r0 \|\| =16.13.1-r1 \|\| =16.13.2-r0 \|\| =16.13.2-r1 \|\| =16.14.2-r0 \|\| =16.14.2-r1 \|\| =16.15.0-r0 \|\| =16.15.0-r1 \|\| =16.16.0-r0 \|\| =16.16.0-r1 \|\| =16.17.0-r0 \|\| =16.17.1-r0 \|\| =16.18.0-r0 \|\| =16.18.0-r1 \|\| =18.12.0-r0 \|\| =18.12.1-r0 \|\| =18.13.0-r0 \|\| =18.14.0-r0 \|\| =4.4.3-r0 \|\| =4.4.4-r0 \|\| =4.4.5-r0 \|\| =4.4.7-r0 \|\| =4.5.0-r0 \|\| =6.10.0-r0 \|\| =6.10.1-r0 \|\| =6.10.3-r0 \|\| =6.11.0-r0 \|\| =6.11.1-r0 \|\| =6.11.1-r1 \|\| =6.11.1-r2 \|\| =6.11.2-r0 \|\| =6.11.3-r0 \|\| =6.11.4-r0 \|\| =6.11.5-r0 \|\| =6.9.1-r0 \|\| =6.9.1-r1 \|\| =6.9.2-r0 \|\| =6.9.4-r0 \|\| =6.9.4-r1 \|\| =6.9.5-r0 \|\| =6.9.5-r1 \|\| =8.10.0-r0 \|\| =8.11.0-r0 \|\| =8.11.0-r1 \|\| =8.11.1-r0 \|\| =8.11.1-r1 \|\| =8.11.1-r2 \|\| =8.11.2-r0 \|\| =8.11.3-r0 \|\| =8.11.3-r1 \|\| =8.11.3-r2 \|\| =8.11.3-r3 \|\| =8.11.4-r0 \|\| =8.12.0-r0 \|\| =8.9.0-r0 \|\| =8.9.1-r0 \|\| =8.9.2-r0 \|\| =8.9.3-r0 \|\| =8.9.3-r1 \|\| =8.9.4-r0 \|\| >=0 <18.14.1-r0	18.14.1-r0
alpine v3.21	nodejs	>=0 <18.14.1-r0	18.14.1-r0
alpine v3.22	nodejs	>=0 <18.14.1-r0	18.14.1-r0
debian 12	node-undici	=5.15.0+dfsg1+~cs20.10.9.3-1 \|\| >=0 <5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1	5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1

1-10 of 16

Aliases

1. CVE-2023-248072. NVD-2023-248073. OSV-2023-248074. OSV-ALPINE-2023-248075. OSV-DEBIAN-2023-248076. GHSA-r6ch-mqf9-qc9w7. GCVE-2023-248078. SECURITY-CVE-2023-248079. SECURITY-TRACKER-CVE-2023-24807

References

1. https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w2. https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf3. https://github.com/nodejs/undici/releases/tag/v5.19.14. https://hackerone.com/bugs?report_id=1784449