Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-22025

Summary
Assigner-hackerone
Assigner Org ID-36234546-b8fa-4601-9d6f-f4e334aa8ea1
Published At-19 Mar, 2024 | 04:32
Updated At-30 Apr, 2025 | 22:25
Rejected At-
Credits

A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL. An attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:hackerone
Assigner Org ID:36234546-b8fa-4601-9d6f-f4e334aa8ea1
Published At:19 Mar, 2024 | 04:32
Updated At:30 Apr, 2025 | 22:25
Rejected At:
▼CVE Numbering Authority (CNA)

A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL. An attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration.

Affected Products
Vendor
Node.js (OpenJS Foundation)NodeJS
Product
Node
Default Status
unaffected
Versions
Affected
  • From 4.0 before 4.* (semver)
  • From 5.0 before 5.* (semver)
  • From 6.0 before 6.* (semver)
  • From 7.0 before 7.* (semver)
  • From 8.0 before 8.* (semver)
  • From 9.0 before 9.* (semver)
  • From 10.0 before 10.* (semver)
  • From 11.0 before 11.* (semver)
  • From 12.0 before 12.* (semver)
  • From 13.0 before 13.* (semver)
  • From 14.0 before 14.* (semver)
  • From 15.0 before 15.* (semver)
  • From 16.0 before 16.* (semver)
  • From 17.0 before 17.* (semver)
  • From 18.0 before 18.19.1 (semver)
  • From 19.0 before 19.* (semver)
  • From 20.0 before 20.11.1 (semver)
  • From 21.0 before 21.6.2 (semver)
Metrics
VersionBase scoreBase severityVector
3.06.5MEDIUM
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Version: 3.0
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://hackerone.com/reports/2284065
N/A
https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html
N/A
https://security.netapp.com/advisory/ntap-20240517-0008/
N/A
Hyperlink: https://hackerone.com/reports/2284065
Resource: N/A
Hyperlink: https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html
Resource: N/A
Hyperlink: https://security.netapp.com/advisory/ntap-20240517-0008/
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://hackerone.com/reports/2284065
x_transferred
https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html
x_transferred
https://security.netapp.com/advisory/ntap-20240517-0008/
x_transferred
Hyperlink: https://hackerone.com/reports/2284065
Resource:
x_transferred
Hyperlink: https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html
Resource:
x_transferred
Hyperlink: https://security.netapp.com/advisory/ntap-20240517-0008/
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-404CWE-404 Improper Resource Shutdown or Release
Type: CWE
CWE ID: CWE-404
Description: CWE-404 Improper Resource Shutdown or Release
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:support@hackerone.com
Published At:19 Mar, 2024 | 05:15
Updated At:30 Oct, 2024 | 21:35

A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL. An attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.06.5MEDIUM
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Type: Secondary
Version: 3.0
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-404Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-404
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://hackerone.com/reports/2284065support@hackerone.com
N/A
https://lists.debian.org/debian-lts-announce/2024/03/msg00029.htmlsupport@hackerone.com
N/A
https://security.netapp.com/advisory/ntap-20240517-0008/support@hackerone.com
N/A
Hyperlink: https://hackerone.com/reports/2284065
Source: support@hackerone.com
Resource: N/A
Hyperlink: https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html
Source: support@hackerone.com
Resource: N/A
Hyperlink: https://security.netapp.com/advisory/ntap-20240517-0008/
Source: support@hackerone.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

2Records found
CVE-2024-22019
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.09% / 27.22%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 01:31
Updated-30 Apr, 2025 | 22:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.

Action-Not Available
Vendor-Node.js (OpenJS Foundation)NetApp, Inc.
Product-node.jsastra_control_centerNodenode.js
CWE ID-CWE-404
Improper Resource Shutdown or Release
CVE-2023-1443
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.5||MEDIUM
EPSS-0.12% / 32.07%
||
7 Day CHG~0.00%
Published-17 Mar, 2023 | 06:31
Updated-02 Aug, 2024 | 05:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Filseclab Twister Antivirus IoControlCode fildds.sys 0x80112053 denial of service

A vulnerability was found in Filseclab Twister Antivirus 8. It has been declared as problematic. This vulnerability affects the function 0x80112053 in the library fildds.sys of the component IoControlCode Handler. The manipulation leads to denial of service. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-223288.

Action-Not Available
Vendor-filseclabFilseclab
Product-twister_antivirusTwister Antivirus
CWE ID-CWE-404
Improper Resource Shutdown or Release
Details not found