Vulnerability Description
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nodejs | Node.Js | >= 18.0.0, < 18.19.1 |
| Netapp | Astra Control Center | - |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2024/03/11/1Mailing ListThird Party Advisory
- https://hackerone.com/reports/2233486Issue Tracking
- https://security.netapp.com/advisory/ntap-20240315-0004/Third Party Advisory
- http://www.openwall.com/lists/oss-security/2024/03/11/1Mailing ListThird Party Advisory
- https://hackerone.com/reports/2233486Issue Tracking
- https://lists.debian.org/debian-lts-announce/2024/09/msg00029.html
- https://security.netapp.com/advisory/ntap-20240315-0004/Third Party Advisory
FAQ
What is CVE-2024-22019?
CVE-2024-22019 is a vulnerability with a CVSS score of 7.5 (HIGH). A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads ...
How severe is CVE-2024-22019?
CVE-2024-22019 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-22019?
Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Node.Js, Netapp Astra Control Center.