[Security] Bump undici from 5.10.0 to 5.20.0
Bumps undici from 5.10.0 to 5.20.0. This update includes security fixes.
Vulnerabilities fixed
Regular Expression Denial of Service in Headers
Impact
The
Headers.set()andHeaders.append()methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in theheaderValueNormalize()utility function.Patches
This vulnerability was patched in v5.19.1.
Workarounds
There is no workaround. Please update to an unaffected version.
References
Credits
Carter Snook reported this vulnerability.
Patched versions: 5.19.1 Affected versions: < 5.19.1
CRLF Injection in Nodejs ‘undici’ via host
Impact
undici library does not protect
hostHTTP header from CRLF injection vulnerabilities.Patches
This issue was patched in Undici v5.19.1.
Workarounds
Sanitize the
headers.hoststring before passing to undici.References
Reported at https://hackerone.com/reports/1820955.
Credits
Thank you to Zhipeng Zhang (
@timon8) for reporting this vulnerability.Patched versions: 5.19.1 Affected versions: >= 2.0.0, < 5.19.1
Release notes
Sourced from undici's releases.
v5.20.0
What's Changed
- perf: improve cookie parsing performance by
@KhafraDevin nodejs/undici#1931- fix: disable websocket wpts in ci :( by
@KhafraDevin nodejs/undici#1932- fix: Allow “undefined“ as value in headers by
@pan93412in nodejs/undici#1929- feat: Support autoSelectFamily when connecting. by
@ShogunPandain nodejs/undici#1914- fix: copy cookies when cloning haders by
@KhafraDevin nodejs/undici#1936- test: more logs in wpt runner by
@KhafraDevin nodejs/undici#1933- feat: change headersTimeout and bodyTimeout to 300s by
@kyrylkovin nodejs/undici#1937Full Changelog: https://github.com/nodejs/undici/compare/v5.19.1...v5.20.0
v5.19.1
⚠ ️ Security Release⚠ ️
- Regular Expression Denial of Service in Headers with CVE-2023-24807
- CRLF Injection in Nodejs ‘undici’ via host with CVE-2023-23936
This release is part of the Node.js security release train: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/
v5.19.0
What's Changed
- fix(fetch): raise AbortSignal max event listeners by
@KhafraDevin nodejs/undici#1910- fix: content-disposition header parsing by
@climba03003in nodejs/undici#1911- fix: remove test by
@KhafraDevin nodejs/undici#1916- feat: add Headers.prototype.getSetCookie by
@KhafraDevin nodejs/undici#1915- fix(headers): clone getSetCookie list & add getSetCookie type by
@KhafraDevin nodejs/undici#1917- doc(mock): update out-of-date reply documentation by
@p9fin nodejs/undici#1913- fix(types): add missing keepAlive params by
@SkeLLLain nodejs/undici#1918- Make the fetch() abort test pass locally, on Linux and Mac, Node 18/19. by
@mcollinain nodejs/undici#1927New Contributors
@climba03003made their first contribution in nodejs/undici#1911@p9fmade their first contribution in nodejs/undici#1913Full Changelog: https://github.com/nodejs/undici/compare/v5.18.0...v5.19.0
v5.18.0
What's Changed
- Add ability to set TCP keepalive by
@xconvergein nodejs/undici#1904- use faster timers by
@ronagin nodejs/undici#1908- fix: ensure header value is a string by
@ronagin nodejs/undici#1899Full Changelog: https://github.com/nodejs/undici/compare/v5.17.1...v5.18.0
v5.17.1
What's Changed
- fix: bad buffer slice (https://github.com/nodejs/undici/commit/d2be675575512794dcd41b9683b209fc15368154)
... (truncated)
Commits
-
28b9deaBumped v5.20.0 -
30dafe3feat: change headersTimeout and bodyTimeout to 300s (#1937) -
eaf4dc9test: more logs in wpt runner (#1933) -
8b8bfa7fix: copy cookies when cloning haders (#1936) -
eae6807feat: Support autoSelectFamily when connecting. (#1914) -
c2387e8fix: Allow “undefined“ as value in headers (#1929) -
f73ec63fix: disable websocket wpts in ci :( (#1932) -
2971280perf: improve cookie parsing performance (#1931) -
984d53bBumped v5.19.1 -
6c32c0flint fixes - Additional commits viewable in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot rebasewill rebase this MR -
$dependabot recreatewill recreate this MR rewriting all the manual changes and resolving conflicts