{"api_version":"1","generated_at":"2026-04-23T01:13:40+00:00","cve":"CVE-2023-24807","urls":{"html":"https://cve.report/CVE-2023-24807","api":"https://cve.report/api/cve/CVE-2023-24807.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-24807","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-24807"},"summary":{"title":"CVE-2023-24807","description":"Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2023-02-16 18:15:00","updated_at":"2023-02-24 18:38:00"},"problem_types":["CWE-1333"],"metrics":[],"references":[{"url":"https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w","name":"https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w","refsource":"MISC","tags":[],"title":"Regular Expression Denial of Service in Headers · Advisory · nodejs/undici · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://hackerone.com/bugs?report_id=1784449","name":"https://hackerone.com/bugs?report_id=1784449","refsource":"MISC","tags":[],"title":"Just a moment...","mime":"text/html","httpstatus":"403","archivestatus":"404"},{"url":"https://github.com/nodejs/undici/releases/tag/v5.19.1","name":"https://github.com/nodejs/undici/releases/tag/v5.19.1","refsource":"MISC","tags":[],"title":"Release v5.19.1 · nodejs/undici · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf","name":"https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf","refsource":"MISC","tags":[],"title":"Merge pull request from GHSA-r6ch-mqf9-qc9w · nodejs/undici@f2324e5 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-24807","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-24807","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"24807","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"undici","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-24807","qid":"160533","title":"Oracle Enterprise Linux Security Update for nodejs:18 (ELSA-2023-1583)"},{"cve":"CVE-2023-24807","qid":"160535","title":"Oracle Enterprise Linux Security Update for nodejs:16 (ELSA-2023-1582)"},{"cve":"CVE-2023-24807","qid":"160639","title":"Oracle Enterprise Linux Security Update for nodejs:18 (ELSA-2023-2654)"},{"cve":"CVE-2023-24807","qid":"160640","title":"Oracle Enterprise Linux Security Update for nodejs and nodejs-nodemon (ELSA-2023-2655)"},{"cve":"CVE-2023-24807","qid":"241307","title":"Red Hat Update for nodejs:18 security (RHSA-2023:1583)"},{"cve":"CVE-2023-24807","qid":"241332","title":"Red Hat Update for nodejs:16 security (RHSA-2023:1582)"},{"cve":"CVE-2023-24807","qid":"241429","title":"Red Hat Update for nodejs and nodejs-nodemon security (RHSA-2023:2655)"},{"cve":"CVE-2023-24807","qid":"241457","title":"Red Hat Update for nodejs:18 security (RHSA-2023:2654)"},{"cve":"CVE-2023-24807","qid":"242132","title":"Red Hat Update for nodejs security (RHSA-2023:5533)"},{"cve":"CVE-2023-24807","qid":"284203","title":"Fedora Security Update for nodejs16 (FEDORA-2023-973319d5b7)"},{"cve":"CVE-2023-24807","qid":"502670","title":"Alpine Linux Security Update for nodejs"},{"cve":"CVE-2023-24807","qid":"502748","title":"Alpine Linux Security Update for nodejs"},{"cve":"CVE-2023-24807","qid":"753756","title":"SUSE Enterprise Linux Security Update for nodejs16 (SUSE-SU-2023:0673-1)"},{"cve":"CVE-2023-24807","qid":"905571","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs (13585)"},{"cve":"CVE-2023-24807","qid":"906674","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs (13585-3)"},{"cve":"CVE-2023-24807","qid":"940976","title":"AlmaLinux Security Update for nodejs:16 (ALSA-2023:1582)"},{"cve":"CVE-2023-24807","qid":"940977","title":"AlmaLinux Security Update for nodejs:18 (ALSA-2023:1583)"},{"cve":"CVE-2023-24807","qid":"941013","title":"AlmaLinux Security Update for nodejs and nodejs-nodemon (ALSA-2023:2655)"},{"cve":"CVE-2023-24807","qid":"941014","title":"AlmaLinux Security Update for nodejs:18 (ALSA-2023:2654)"},{"cve":"CVE-2023-24807","qid":"960893","title":"Rocky Linux Security Update for nodejs:18 (RLSA-2023:1583)"},{"cve":"CVE-2023-24807","qid":"960902","title":"Rocky Linux Security Update for nodejs:16 (RLSA-2023:1582)"},{"cve":"CVE-2023-24807","qid":"960937","title":"Rocky Linux Security Update for nodejs and nodejs-nodemon (RLSA-2023:2655)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-24807","ASSIGNER":"security-advisories@github.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-20: Improper Input Validation","cweId":"CWE-20"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"nodejs","product":{"product_data":[{"product_name":"undici","version":{"version_data":[{"version_affected":"=","version_value":"< 5.19.1"}]}}]}}]}},"references":{"reference_data":[{"url":"https://github.com/nodejs/undici/releases/tag/v5.19.1","refsource":"MISC","name":"https://github.com/nodejs/undici/releases/tag/v5.19.1"},{"url":"https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w","refsource":"MISC","name":"https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w"},{"url":"https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf","refsource":"MISC","name":"https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf"},{"url":"https://hackerone.com/bugs?report_id=1784449","refsource":"MISC","name":"https://hackerone.com/bugs?report_id=1784449"}]},"source":{"advisory":"GHSA-r6ch-mqf9-qc9w","discovery":"UNKNOWN"},"impact":{"cvss":[{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}]}},"nvd":{"publishedDate":"2023-02-16 18:15:00","lastModifiedDate":"2023-02-24 18:38:00","problem_types":["CWE-1333"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*","versionEndExcluding":"5.19.1","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}