CVE-2023-24807: Mitigating Regular Expression Denial of Service (ReDoS) in Undici HTTP Client for Node.js

Undici is a high-performance HTTP/1.1 client for Node.js, widely used in applications requiring reliable network communication. A recent vulnerability, identified as CVE-2023-24807, has been discovered in Undici versions prior to v5.19.1. As a critical security concern, developers using Undici must pay close attention to this vulnerability and apply the necessary patches or updates to protect their applications from potential cyberattacks.

This article aims to provide an overview of CVE-2023-24807, inform developers on the inherent risk, detail the exploit, and communicate the steps to mitigate it.

The Exploit

CVE-2023-24807 is caused by an inefficient Regular Expression (RegEx) implementation in the headerValueNormalize() utility function, making the Headers.set() and Headers.append() methods vulnerable to Regular Expression Denial of Service (ReDoS) attacks if untrusted values are used as input.

A ReDoS attack exploits the weaknesses in the RegEx implementation, resulting in excessive backtracking and eventually causing the application to hang, consume excessive CPU resources, or crash. By exposing such vulnerabilities, an attacker could potentially target an application's availability and performance.

The malicious payload involving the vulnerability could look like this

const evilString = 'undiciaaaaaaaaaaaaaaaaaaaaaaaaayyyyyyyyyyyyyyyyy';

const headers = new Headers();
headers.set('X-Evil', evilString);

Official References

The Undici development team has not only acknowledged the issue but also provided mitigation, presented as an update in GitHub PR #1195.

For more details, refer to the following links

- CVE-2023-24807 NIST NVD Entry
- Undici GitHub Repository Issue #1159

Mitigation

The vulnerability has been addressed in Undici v5.19.1, and developers are highly encouraged to update their applications to this version or later to benefit from the security fixes provided by the team.

To update Undici to the latest version, use the following command

npm install undici@latest

After ensuring the update is successful, the change in the code implementation should adopt the improvements as per PR #1195, and, thus, protect your application from CVE-2023-24807.

In some situations, however, updating may not be immediately possible due to factors such as compatibility or version-related issues. Regrettably, there are no known workarounds for this vulnerability at the moment.

Conclusion

CVE-2023-24807 is a critical security vulnerability that affects the Headers.set() and Headers.append() methods in the Undici HTTP client for Node.js. Developers must update their Undici packages to v5.19.1 or later to protect their applications from potential ReDoS attacks.

While the Undici team has addressed this vulnerability, developers must remain vigilant, stay informed about updates and security patches, and periodically review the safety of their applications.

Timeline

Published on: 02/16/2023 18:15:00 UTC
Last modified on: 02/24/2023 18:38:00 UTC