Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-r6ch-mqf9-qc9w

Опубликовано: 16 фев. 2023
Источник: github
Github: Прошло ревью
CVSS3: 7.5

Описание

Regular Expression Denial of Service in Headers

Impact

The Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize() utility function.

Patches

This vulnerability was patched in v5.19.1.

Workarounds

There is no workaround. Please update to an unaffected version.

References

Credits

Carter Snook reported this vulnerability.

Пакеты

Наименование

undici

npm
Затронутые версииВерсия исправления

< 5.19.1

5.19.1

EPSS

Процентиль: 48%
0.00248
Низкий

7.5 High

CVSS3

Дефекты

CWE-1333

Связанные уязвимости

CVSS3: 7.5
ubuntu
больше 2 лет назад

Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.

CVSS3: 7.5
redhat
больше 2 лет назад

Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.

CVSS3: 7.5
nvd
больше 2 лет назад

Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.

CVSS3: 7.5
msrc
больше 2 лет назад

Описание отсутствует

CVSS3: 7.5
debian
больше 2 лет назад

Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the ...

EPSS

Процентиль: 48%
0.00248
Низкий

7.5 High

CVSS3

Дефекты

CWE-1333