A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.
History

Thu, 07 Nov 2024 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 05 Nov 2024 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Node.js
Node.js node.js
Weaknesses CWE-404
CPEs cpe:2.3:a:node.js:node.js:*:*:*:*:*:*:*:*
Vendors & Products Node.js
Node.js node.js
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2024-02-20T01:31:08.092Z

Updated: 2024-11-07T21:17:16.721Z

Reserved: 2024-01-04T01:04:06.574Z

Link: CVE-2024-22019

cve-icon Vulnrichment

Updated: 2024-08-01T22:35:34.700Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-02-20T02:15:50.983

Modified: 2024-11-21T08:55:24.413

Link: CVE-2024-22019

cve-icon Redhat

Severity : Important

Publid Date: 2024-02-16T00:00:00Z

Links: CVE-2024-22019 - Bugzilla