CVE-2024-22025

nodejs: using the fetch() function to retrieve content from an untrusted URL leads to denial of service

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL.
The vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL.
An attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration.

Se ha identificado una vulnerabilidad en Node.js, que permite un ataque de denegación de servicio (DoS) por agotamiento de recursos cuando se utiliza la función fetch() para recuperar contenido de una URL que no es de confianza. La vulnerabilidad surge del hecho de que la función fetch() en Node.js siempre decodifica Brotli, lo que hace posible que un atacante provoque el agotamiento de los recursos al recuperar contenido de una URL que no es de confianza. Un atacante que controle la URL pasada a fetch() puede aprovechar esta vulnerabilidad para agotar la memoria, lo que podría provocar la terminación del proceso, según la configuración del sistema.

A flaw was found in Node.js that allows a denial of service attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fetch() function in Node.js that always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL. This flaw allows an attacker to control the URL passed into fetch() to exhaust memory, potentially leading to process termination, depending on the system configuration.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-01-04 CVE Reserved
2024-03-19 CVE Published
2024-06-11 EPSS Updated
2024-10-30 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption
CWE-404: Improper Resource Shutdown or Release

CAPEC

References (5)

URL	Tag	Source
https://hackerone.com/reports/2284065
https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html
https://security.netapp.com/advisory/ntap-20240517-0008

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-22025	2024-07-23
https://bugzilla.redhat.com/show_bug.cgi?id=2270559	2024-07-23

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Node.js Search vendor "Node.js"		Node.js Search vendor "Node.js" for product "Node.js"				20.11.0 Search vendor "Node.js" for product "Node.js" and version "20.11.0"		en		Affected
Node.js Search vendor "Node.js"		Node.js Search vendor "Node.js" for product "Node.js"				21.6.1 Search vendor "Node.js" for product "Node.js" and version "21.6.1"		en		Affected
Node.js Search vendor "Node.js"		Node.js Search vendor "Node.js" for product "Node.js"				18.19.0 Search vendor "Node.js" for product "Node.js" and version "18.19.0"		en		Affected