SB2023022022 - Multiple vulnerabilities in Undici for Node.js
Published: February 20, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Incorrect Regular Expression (CVE-ID: CVE-2023-24807)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when user-supplied input within the `Headers.set()` and `Headers.append()` methods. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
2) HTTP response splitting (CVE-ID: CVE-2023-23936)
The vulnerability allows a remote attacker to perform HTTP splitting attacks.
The vulnerability exists due to software does not correctly process CRLF character sequences when handling HTTP "Host" header. A remote attacker can send specially crafted request containing CRLF sequence and make the application to send a split HTTP response.
Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.
Remediation
Install update from vendor's website.
References
- https://github.com/nodejs/undici/releases/tag/v5.19.1
- https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w
- https://hackerone.com/bugs?report_id=1784449
- https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf
- https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034
- https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
- https://hackerone.com/reports/1820955