CVE-2024-24806 – Improper Domain Lookup that potentially leads to SSRF attacks in libuv

https://notcve.org/view.php?id=CVE-2024-24806

07 Feb 2024 — libuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function in `src/unix/getaddrinfo.c` (and its windows counterpart `src/win/getaddrinfo.c`), truncates hostnames to 256 characters before calling `getaddrinfo`. This behavior can be exploited to create addresses like `0x00007f000001`, which are considered valid by `getaddrinfo` and could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks. The vulnerability aris... • http://www.openwall.com/lists/oss-security/2024/02/08/2 • CWE-918: Server-Side Request Forgery (SSRF) •