CVE-2023-24807 : Vulnerability Insights and Analysis

Undici vulnerable to Regular Expression Denial of Service in Headers

Understanding CVE-2023-24807

Undici, an HTTP/1.1 client for Node.js, was found to be vulnerable to Regular Expression Denial of Service (ReDoS) attacks in the headers prior to version 5.19.1. This vulnerability can be exploited when untrusted values are inputted into the

Headers.set()

and

Headers.append()

methods.

What is CVE-2023-24807?

The Vulnerability in Undici version < 5.19.1 allows for Regular Expression Denial of Service (ReDoS) attacks due to inefficiencies in the regular expression used to normalize values in the

headerValueNormalize()

utility function.

The Impact of CVE-2023-24807

The impact of this vulnerability is rated as HIGH, with a CVSS score of 7.5. It can lead to denial of service in the network, affecting availability without compromising confidentiality or integrity of the system.

Technical Details of CVE-2023-24807

This section provides more insight into the vulnerability, affected systems, and how it can be exploited.

Vulnerability Description

The vulnerability stems from the inefficient regular expression employed in the

headerValueNormalize()

function, allowing malicious actors to launch ReDoS attacks by providing untrusted input to the

Headers.set()

and

Headers.append()

methods.

Affected Systems and Versions

Node.js Undici versions lower than 5.19.1 are impacted by this vulnerability. It is crucial for users to update to version 5.19.1 or later to mitigate the risk.

Exploitation Mechanism

By passing untrusted values into the

Headers.set()

and

Headers.append()

functions, attackers can trigger ReDoS attacks due to the inefficient regular expression, leading to denial of service in the affected system.

Mitigation and Prevention

To address CVE-2023-24807 and prevent potential exploitation, users are advised to take immediate steps and implement long-term security practices.

Immediate Steps to Take

Users should update their Node.js Undici version to 5.19.1 or above to patch the vulnerability and prevent ReDoS attacks.
It is recommended to restrict and sanitize input values to prevent malicious manipulation of headers.

Long-Term Security Practices

Implement proper input validation mechanisms to safeguard against similar vulnerabilities in the future.
Regularly monitor and apply security updates and patches to ensure the system is protected against emerging threats.

Patching and Updates

The vulnerability was addressed in Node.js Undici version 5.19.1. Users are encouraged to promptly update their systems to the latest version to eliminate the risk of ReDoS attacks.