CVE-2024-22025: A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to…

medium6.5CVSS 3.0

AVNACLPRNUIRSUCNINAH

A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL. An attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration.

Affected

33 ranges· showing 25

Vendor	Product	Version range	Fixed in
atlassian	confluence_data_center	—	—
debian	nodejs	< nodejs 18.20.4+dfsg-1~deb12u1 (bookworm)	nodejs 18.20.4+dfsg-1~deb12u1 (bookworm)
msrc	azl3_nodejs_20.10.0-2_on_azure_linux_3.0	—	—
msrc	azl3_nodejs_20.14.0-1_on_azure_linux_3.0	—	—
msrc	azure_linux_3.0_arm	—	—
msrc	azure_linux_3.0_x64	—	—
msrc	cbl2_nodejs18_18.18.2-5_on_cbl_mariner_2.0	—	—
msrc	cbl2_nodejs18_18.18.2-7_on_cbl_mariner_2.0	—	—
msrc	cbl2_nodejs_16.20.2-4_on_cbl_mariner_2.0	—	—
msrc	cbl_mariner_2.0_arm	—	—
msrc	cbl_mariner_2.0_x64	—	—
nodejs	node	>= 10.0 < 10.*	10.*
nodejs	node	>= 11.0 < 11.*	11.*
nodejs	node	>= 12.0 < 12.*	12.*
nodejs	node	>= 13.0 < 13.*	13.*
nodejs	node	>= 14.0 < 14.*	14.*
nodejs	node	>= 15.0 < 15.*	15.*
nodejs	node	>= 16.0 < 16.*	16.*
nodejs	node	>= 17.0 < 17.*	17.*
nodejs	node	>= 18.0 < 18.19.1	18.19.1
nodejs	node	>= 19.0 < 19.*	19.*
nodejs	node	>= 20.0 < 20.11.1	20.11.1
nodejs	node	>= 21.0 < 21.6.2	21.6.2
nodejs	node	>= 4.0 < 4.*	4.*
nodejs	node	>= 5.0 < 5.*	5.*

CVSS provenance

nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

osv6.5MEDIUM