Node.js HTTP Servers Vulnerable to Resource Exhaustion Attacks
CVE-2024-22019

7.5HIGH

Key Information:

Vendor: Node.js
Status: Node.js
Vendor: CVE Published:; 20 February 2024

What is CVE-2024-22019?

A vulnerability exists within Node.js HTTP servers that permits attackers to send specially crafted HTTP requests utilizing chunked encoding. This manipulation can lead to resource exhaustion, as the server is induced to read an unbounded number of bytes from a single connection. The flaw takes advantage of insufficient limitations on chunk extension bytes, which can result in the depletion of CPU resources and network bandwidth. Consequently, this vulnerability allows attackers to bypass traditional safeguards such as timeout settings and body size limits, ultimately causing denial of service conditions.

Affected Version(s)

Node.js 21.6.1

References

https://hackerone.com/reports/2233486

https://security.netapp.com/advisory/ntap-20240315-0004/

http://www.openwall.com/lists/oss-security/2024/03/11/1

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 20, 2024
Vulnerability Reserved
Jan 4, 2024