CVE-2023-24807
Regular Expression Denial of Service vulnerability in undici (npm)
What is CVE-2023-24807 About?
The `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks due to an inefficient regular expression in the `headerValueNormalize()` utility function. This can lead to denial of service when untrusted values are passed to these methods. Exploitation is possible by supplying malicious input to these functions and can be relatively straightforward.
Affected Software
Technical Details
The vulnerability stems from an inefficient regular expression utilized within the headerValueNormalize() utility function, which is called by Headers.set() and Headers.append() when processing header values. When untrusted, specially crafted input strings are passed as values to these methods, the inefficient regex can enter a catastrophic backtracking state. This consumes excessive CPU resources and memory, leading to a Regular Expression Denial of Service (ReDoS) condition, making the application unresponsive or causing it to crash.
What is the Impact of CVE-2023-24807?
Successful exploitation may allow attackers to cause a denial of service, leading to system unresponsiveness or crashes.
What is the Exploitability of CVE-2023-24807?
Exploitation requires an attacker to be able to supply untrusted values to the Headers.set() or Headers.append() methods within the affected application. The attack complexity is moderate, as it involves crafting a specific string that triggers the ReDoS. Authentication and privilege requirements depend on how user-controlled input can reach these header modification functions; if exposed to unauthenticated or low-privileged users, the risk is higher. This exploitation is likely remote if an attacker can manipulate HTTP header values sent to a server-side application. The primary risk factor is accepting and processing untrusted or unsanitized input for HTTP header values.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-24807?
Available Upgrade Options
- undici
- <5.19.1 → Upgrade to 5.19.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://hackerone.com/bugs?report_id=1784449
- https://security.netapp.com/advisory/ntap-20230324-0010/
- https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w
- https://github.com/nodejs/undici
- https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf
- https://github.com/nodejs/undici/releases/tag/v5.19.1
- https://hackerone.com/bugs?report_id=1784449
- https://github.com/nodejs/undici/releases/tag/v5.19.1
- https://osv.dev/vulnerability/GHSA-r6ch-mqf9-qc9w
- https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w
What are Similar Vulnerabilities to CVE-2023-24807?
Similar Vulnerabilities: CVE-2022-42965 , CVE-2022-40896 , CVE-2020-8174 , CVE-2023-1090 , CVE-2020-28168
