VulnerableCode Package Details - pkg:deb/debian/node-undici@5.19.1%2Bdfsg1%2B~cs20.10.9.5-1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-dtvs-pgam-qkbp	CRLF Injection in Nodejs ‘undici’ via host Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.	CVE-2023-23936 GHSA-5r9g-qh6m-jxff
VCID-vh17-44d1-kyf7	Regular Expression Denial of Service in Headers Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods is vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.	CVE-2023-24807 GHSA-r6ch-mqf9-qc9w

Vulnerability

Summary

Aliases

VCID-dtvs-pgam-qkbp

CRLF Injection in Nodejs ‘undici’ via host Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.

CVE-2023-23936
GHSA-5r9g-qh6m-jxff

VCID-vh17-44d1-kyf7

Regular Expression Denial of Service in Headers Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods is vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.

CVE-2023-24807
GHSA-r6ch-mqf9-qc9w

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T10:37:54.221540+00:00	Debian Importer	Fixing	VCID-vh17-44d1-kyf7	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:19:14.714158+00:00	Debian Importer	Fixing	VCID-dtvs-pgam-qkbp	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T07:11:11.301762+00:00	Debian Importer	Fixing	VCID-vh17-44d1-kyf7	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:13:37.039688+00:00	Debian Importer	Fixing	VCID-dtvs-pgam-qkbp	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:47:17.785307+00:00	Debian Importer	Fixing	VCID-vh17-44d1-kyf7	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:47:17.729654+00:00	Debian Importer	Fixing	VCID-dtvs-pgam-qkbp	https://security-tracker.debian.org/tracker/data/json	38.1.0