Description
The Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize() utility function.
Recommendation
Update the undici package to the latest compatible version. Followings are version details:
- Affected version(s): < 5.19.1
- Patched version(s): 5.19.1
References
Related Issues
- MathJax Regular expression Denial of Service (ReDoS) - CVE-2023-39663
- angular vulnerable to regular expression denial of service via the $resource service - CVE-2023-26117
- angular vulnerable to regular expression denial of service via the angular.copy() utility - CVE-2023-26116
- angular vulnerable to regular expression denial of service via the <input type="url"> element - CVE-2023-26118
You might also like:
- Tags:
- npm
- undici
Anything's wrong? Let us know Last updated on February 16, 2023