CVE-2024-22025

CWE-404CWE-400Uncontrolled Resource Consumption8 documents8 sources
Severity
6.5MEDIUM
EPSS
0.6%
top 29.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nodejs Node
Timeline
PublishedMar 19
Latest updateJul 16

Description

A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL. An attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust me

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5nodejs/node4.04.*+17
Debiannodejs< 12.22.12~dfsg-1~deb11u5+3

🔴Vulnerability Details

3
GHSA
GHSA-xp28-3fv9-33c6: A vulnerability in Node2024-03-19
CVEList
CVE-2024-22025: A vulnerability in Node2024-03-19
OSV
CVE-2024-22025: A vulnerability in Node2024-03-19

📋Vendor Advisories

4
Atlassian
CVE-2023-22025 CVE-2023-22081 CVE-2024-20918 CVE-2024-20919 CVE-2024-20921 CVE-2024-20926 CVE-2024-20932 CVE-2024-209452024-07-16
Red Hat
nodejs: using the fetch() function to retrieve content from an untrusted URL leads to denial of service2024-03-19
Microsoft
A vulnerability in Node.js has been identified allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The 2024-03-12
Debian
CVE-2024-22025: nodejs - A vulnerability in Node.js has been identified, allowing for a Denial of Service...2024