CVE-2024-22019

CWE-404CWE-400Uncontrolled Resource Consumption9 documents9 sources
Severity
7.5HIGH
EPSS
0.4%
top 40.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nodejs NodeNodejs Node.js
Timeline
PublishedFeb 20
Latest updateJul 15

Description

A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5nodejs/node4.04.*+17
NVDnodejs/node.js18.0.018.19.1+2
Debiannodejs< 12.22.12~dfsg-1~deb11u5+3

🔴Vulnerability Details

3
OSV
CVE-2024-22019: A vulnerability in Node2024-02-20
CVEList
CVE-2024-22019: A vulnerability in Node2024-02-20
GHSA
GHSA-prhj-8562-p8gj: A vulnerability in Node2024-02-20

📋Vendor Advisories

4
Oracle
Oracle Oracle Communications Risk Matrix: Platform (Node.js) — CVE-2024-220192024-07-15
Red Hat
nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks2024-02-16
Microsoft
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding leading to resource exhaustion and denial of service (DoS). The server reads a2024-02-13
Debian
CVE-2024-22019: nodejs - A vulnerability in Node.js HTTP servers allows an attacker to send a specially c...2024

💬Community

1
HackerOne
http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks2024-03-05
CVE-2024-22019 (HIGH CVSS 7.5) | A vulnerability in Node.js HTTP ser | cvebase.io