CVE-2024-22019: A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource...
Description
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.
Classification
CVE ID: CVE-2024-22019
CVSS Base Severity: HIGH
CVSS Base Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products
Vendor: Node.js
Product: Node.js
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.05% (probability of being exploited)
EPSS Percentile: 18.39% (scored less or equal to compared to others)
EPSS Date: 2025-03-14 (when was this score calculated)
References
https://hackerone.com/reports/2233486https://security.netapp.com/advisory/ntap-20240315-0004/
http://www.openwall.com/lists/oss-security/2024/03/11/1