CVE-2023-24807 Overview
CVE-2023-24807 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting the Undici HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set() and Headers.append() methods are vulnerable to ReDoS attacks when untrusted values are passed into these functions. This vulnerability stems from an inefficient regular expression used to normalize header values in the headerValueNormalize() utility function, which can be exploited by attackers to cause excessive CPU consumption and application unavailability.
Critical Impact
Attackers can exploit this vulnerability remotely without authentication to cause denial of service conditions in Node.js applications using the Undici HTTP client by supplying specially crafted header values that trigger catastrophic backtracking in the regex engine.
Affected Products
- nodejs undici versions prior to 5.19.1
- Node.js applications utilizing the Undici HTTP client library
- Applications accepting untrusted input for HTTP header values
Discovery Timeline
- 2023-02-16 - CVE-2023-24807 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-24807
Vulnerability Analysis
The vulnerability exists in the headerValueNormalize() function within lib/fetch/headers.js. This function is responsible for normalizing HTTP header values by removing leading and trailing HTTP whitespace bytes (carriage return, newline, tab, and space characters). The original implementation used a single regular expression /^[\r\n\t ]+|[\r\n\t ]+$/g with the replace() method to trim whitespace from both ends of the input string.
The problematic pattern, particularly the trailing whitespace portion [\r\n\t ]+$, is susceptible to catastrophic backtracking when processing specially crafted input strings. When an attacker provides a header value containing a long sequence of whitespace-like characters followed by non-matching content, the regex engine may enter an exponential backtracking state, consuming excessive CPU cycles and blocking the event loop.
Root Cause
The root cause is the use of an inefficient regular expression for string trimming operations. The regex [\r\n\t ]+$ matches one or more whitespace characters at the end of a string. When applied to input with specific patterns, the regex engine attempts numerous backtracking combinations before determining a non-match, leading to algorithmic complexity attacks. This is a classic example of CWE-1333 (Inefficient Regular Expression Complexity) combined with CWE-20 (Improper Input Validation).
Attack Vector
An attacker can exploit this vulnerability by providing maliciously crafted header values through the Headers.set() or Headers.append() methods. The attack requires network access to the affected application but does not require authentication or user interaction. Applications that accept HTTP header values from untrusted sources (such as proxied requests, user-controlled inputs, or external API responses) are particularly at risk. A successful attack results in CPU exhaustion, causing the Node.js application to become unresponsive.
// To normalize a byte sequence potentialValue, remove
// any leading and trailing HTTP whitespace bytes from
// potentialValue.
- return potentialValue.replace(
- /^[\r\n\t ]+|[\r\n\t ]+$/g,
- ''
- )
+
+ // Trimming the end with `.replace()` and a RegExp is typically subject to
+ // ReDoS. This is safer and faster.
+ let i = potentialValue.length
+ while (/[\r\n\t ]/.test(potentialValue.charAt(--i)));
+ return potentialValue.slice(0, i + 1).replace(/^[\r\n\t ]+/, '')
}
function fill (headers, object) {
Source: GitHub Commit f2324e5
The patch replaces the problematic regex-based trimming with a safer approach: it uses a simple character-by-character loop to find the last non-whitespace character, then slices the string and only applies regex to trim the leading whitespace, which is less prone to backtracking issues.
Detection Methods for CVE-2023-24807
Indicators of Compromise
- Abnormally high CPU utilization in Node.js processes without corresponding increase in legitimate traffic
- Event loop lag or delays in processing incoming HTTP requests
- Application timeouts or unresponsiveness when handling specific HTTP headers
- Error logs indicating request timeouts or worker thread exhaustion
Detection Strategies
- Monitor Node.js process CPU consumption and alert on sustained high utilization patterns
- Implement request timeout monitoring to detect slow processing indicative of ReDoS attacks
- Use dependency scanning tools (npm audit, Snyk, OWASP Dependency-Check) to identify vulnerable Undici versions
- Deploy application performance monitoring (APM) to track event loop latency and identify blocking operations
Monitoring Recommendations
- Enable detailed logging for HTTP header processing in applications using Undici
- Set up alerts for event loop delays exceeding normal thresholds (e.g., >100ms)
- Monitor memory and CPU metrics at the container/process level for anomalous patterns
- Implement rate limiting on endpoints that process untrusted header values
How to Mitigate CVE-2023-24807
Immediate Actions Required
- Upgrade Undici to version 5.19.1 or later immediately
- Audit applications to identify all instances where Undici's Headers.set() or Headers.append() methods receive untrusted input
- Implement input validation and length limits on HTTP header values before passing to Undici
- Consider deploying a web application firewall (WAF) to filter malicious header patterns as a defense-in-depth measure
Patch Information
The vulnerability was patched in Undici version 5.19.1. The fix replaces the vulnerable regex-based whitespace trimming with a more efficient algorithm that uses character iteration to find trailing whitespace, avoiding the exponential backtracking behavior. Organizations should update their package.json dependencies and run npm update undici or yarn upgrade undici to apply the fix. For detailed patch information, refer to the GitHub Security Advisory and the release notes for v5.19.1.
Workarounds
- No official workarounds are available according to the vendor advisory
- As a temporary measure, implement strict input validation on header values before processing
- Set maximum length constraints on HTTP header values to reduce attack surface
- Deploy request timeout mechanisms to terminate slow requests that may indicate ReDoS exploitation
# Upgrade Undici to patched version
npm update undici@5.19.1
# Verify installed version
npm list undici
# Audit for vulnerabilities
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
