Source: node-undici Version: 5.15.0+dfsg1+~cs20.10.9.3-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for node-undici. CVE-2023-23936[0]: | Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 | and prior to version 5.19.1, the undici library does not protect | `host` HTTP header from CRLF injection vulnerabilities. This issue is | patched in Undici v5.19.1. As a workaround, sanitize the | `headers.host` string before passing to undici. CVE-2023-24807[1]: | Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the | `Headers.set()` and `Headers.append()` methods are vulnerable to | Regular Expression Denial of Service (ReDoS) attacks when untrusted | values are passed into the functions. This is due to the inefficient | regular expression used to normalize the values in the | `headerValueNormalize()` utility function. This vulnerability was | patched in v5.19.1. No known workarounds are available. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-23936 https://www.cve.org/CVERecord?id=CVE-2023-23936 [1] https://security-tracker.debian.org/tracker/CVE-2023-24807 https://www.cve.org/CVERecord?id=CVE-2023-24807 Regards, Salvatore