CVE-2024-22019

A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2024/03/11/1	Mailing List Third Party Advisory
https://hackerone.com/reports/2233486	Issue Tracking
https://security.netapp.com/advisory/ntap-20240315-0004/	Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/03/11/1	Mailing List Third Party Advisory
https://hackerone.com/reports/2233486	Issue Tracking
https://lists.debian.org/debian-lts-announce/2024/09/msg00029.html
https://security.netapp.com/advisory/ntap-20240315-0004/	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nodejs:node.js:::::lts:::*
	cpe:2.3:a:nodejs:node.js:::::-:::*
	cpe:2.3:a:nodejs:node.js:::::-:::*

Configuration 2 (hide)

cpe:2.3:a:netapp:astra_control_center:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-02-20 02:15

Updated : 2025-11-04 17:15

NVD link : CVE-2024-22019

Mitre link : CVE-2024-22019

CVE.ORG link : CVE-2024-22019

JSON object : View

Products Affected

nodejs

node.js

netapp

astra_control_center

CWE

CWE-404

Improper Resource Shutdown or Release

{"id": "CVE-2024-22019", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "support@hackerone.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-02-20T02:15:50.983", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/03/11/1", "tags": ["Mailing List", "Third Party Advisory"], "source": "support@hackerone.com"}, {"url": "https://hackerone.com/reports/2233486", "tags": ["Issue Tracking"], "source": "support@hackerone.com"}, {"url": "https://security.netapp.com/advisory/ntap-20240315-0004/", "tags": ["Third Party Advisory"], "source": "support@hackerone.com"}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/11/1", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://hackerone.com/reports/2233486", "tags": ["Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00029.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20240315-0004/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-404"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits."}, {"lang": "es", "value": "Una vulnerabilidad en los servidores HTTP de Node.js permite a un atacante enviar una solicitud HTTP especialmente manipulada con codificaci\u00f3n fragmentada, lo que provoca el agotamiento de los recursos y la denegaci\u00f3n de servicio (DoS). El servidor lee una cantidad ilimitada de bytes de una \u00fanica conexi\u00f3n, aprovechando la falta de limitaciones en los bytes de extensi\u00f3n de fragmentos. El problema puede provocar el agotamiento del ancho de banda de la CPU y de la red, pasando por alto salvaguardas est\u00e1ndar como tiempos de espera y l\u00edmites de tama\u00f1o corporal."}], "lastModified": "2025-11-04T17:15:45.907", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "ED0E725B-F218-44C4-BAFA-05E831D9ED68", "versionEndExcluding": "18.19.1", "versionStartIncluding": "18.0.0"}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "EB510747-739C-4654-86E1-337962640D6E", "versionEndExcluding": "20.11.1", "versionStartIncluding": "20.0.0"}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "47D50080-1F46-4A8C-B766-971F7FBCA5C1", "versionEndExcluding": "21.6.2", "versionStartIncluding": "21.0.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:netapp:astra_control_center:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EC5EBD2A-32A3-46D5-B155-B44DCB7F6902"}], "operator": "OR"}]}], "sourceIdentifier": "support@hackerone.com"}