Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.
5.15.0+dfsg1+~cs20.10.9.3-15.15.0+dfsg1+~cs20.10.9.3-1+deb12u15.15.0+dfsg1+~cs20.10.9.3-1+deb12u25.15.0+dfsg1+~cs20.10.9.3-1+deb12u35.15.0+dfsg1+~cs20.10.9.3-1+deb12u45.19.1+dfsg1+~cs20.10.9.5-15.19.1+dfsg1+~cs20.10.9.5-25.22.1+dfsg1+~cs20.10.10.2-15.26.3+dfsg1+~cs23.10.12-15.26.3+dfsg1+~cs23.10.12-2+21 more7.15.0+dfsg+~cs3.2.0-17.15.0+dfsg+~cs3.2.0-37.16.0+dfsg+~cs3.2.0-17.16.0+dfsg+~cs3.2.0-27.18.2+dfsg+~cs3.2.0-17.3.0+dfsg1+~cs24.12.11-17.3.0+dfsg1+~cs24.12.11-27.18.2+dfsg+~cs3.2.0-1Exploitability
AV:NAC:HPR:NUI:NScope
S:UImpact
C:NI:NA:LCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L