Self Checks

• I have read the Contributing Guide and Language Policy.
• This is only for bug report, if you would like to ask a question, please head to Discussions.
• I have searched for existing issues search for existing issues, including closed ones.
• I confirm that I am using English to submit this report, otherwise it will be closed.
• 【中文用户 & Non English User】请使用英语提交，否则会被关闭 ：）
• Please do not modify this template :) and fill in all the required fields.

Dify version

Unknown (needs confirmation)

Cloud or Self Hosted

Self Hosted (Docker)

Steps to reproduce

1. Build or run the API image from api/Dockerfile.
2. Send requests that exercise Headers.set or Headers.append with crafted header values through the Node/undici runtime.
3. Observe CPU spikes and degraded responsiveness.

✔️ Expected Behavior

Header normalization handles untrusted input without excessive backtracking or resource spikes.

❌ Actual Behavior

The current runtime's bundled undici can be forced into costly regex backtracking, causing high CPU usage and potential denial of service.