Bug 2264574 (CVE-2024-22019) - CVE-2024-22019 nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks
Summary: CVE-2024-22019 nodejs: reading unprocessed HTTP request with unbounded chunk ...
Keywords:
Status: NEW
Alias: CVE-2024-22019
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2264576 2264577 2264578 2264804 2264805 2264806 2264807 2265709 2271423
Blocks: 2264565
TreeView+ depends on / blocked
 
Reported: 2024-02-16 17:30 UTC by Robb Gatica
Modified: 2024-04-11 07:02 UTC (History)
4 users (show)

Fixed In Version: node 18.19.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Node.js due to a lack of safeguards on chunk extension bytes. The server may read an unbounded number of bytes from a single connection, which can allow an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:1369 0 None None None 2024-03-19 06:28:21 UTC
Red Hat Product Errata RHBA-2024:1370 0 None None None 2024-03-19 06:30:45 UTC
Red Hat Product Errata RHBA-2024:1442 0 None None None 2024-03-20 12:27:59 UTC
Red Hat Product Errata RHBA-2024:1470 0 None None None 2024-03-21 13:31:19 UTC
Red Hat Product Errata RHBA-2024:1528 0 None None None 2024-03-26 15:30:55 UTC
Red Hat Product Errata RHBA-2024:1587 0 None None None 2024-04-01 20:32:25 UTC
Red Hat Product Errata RHBA-2024:1695 0 None None None 2024-04-08 12:30:24 UTC
Red Hat Product Errata RHBA-2024:1702 0 None None None 2024-04-08 22:46:21 UTC
Red Hat Product Errata RHBA-2024:1709 0 None None None 2024-04-09 11:15:40 UTC
Red Hat Product Errata RHBA-2024:1710 0 None None None 2024-04-09 11:12:46 UTC
Red Hat Product Errata RHBA-2024:1711 0 None None None 2024-04-09 11:21:50 UTC
Red Hat Product Errata RHBA-2024:1712 0 None None None 2024-04-09 11:25:13 UTC
Red Hat Product Errata RHBA-2024:1745 0 None None None 2024-04-10 01:13:40 UTC
Red Hat Product Errata RHBA-2024:1749 0 None None None 2024-04-10 08:48:56 UTC
Red Hat Product Errata RHBA-2024:1774 0 None None None 2024-04-10 19:45:54 UTC
Red Hat Product Errata RHBA-2024:1776 0 None None None 2024-04-11 07:02:51 UTC
Red Hat Product Errata RHSA-2024:1354 0 None None None 2024-03-18 10:41:40 UTC
Red Hat Product Errata RHSA-2024:1424 0 None None None 2024-03-19 17:45:47 UTC
Red Hat Product Errata RHSA-2024:1438 0 None None None 2024-03-20 10:00:37 UTC
Red Hat Product Errata RHSA-2024:1444 0 None None None 2024-03-20 16:55:09 UTC
Red Hat Product Errata RHSA-2024:1510 0 None None None 2024-03-26 09:22:52 UTC
Red Hat Product Errata RHSA-2024:1678 0 None None None 2024-04-04 16:08:00 UTC
Red Hat Product Errata RHSA-2024:1687 0 None None None 2024-04-08 09:04:57 UTC
Red Hat Product Errata RHSA-2024:1688 0 None None None 2024-04-08 08:49:47 UTC

Description Robb Gatica 2024-02-16 17:30:00 UTC
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.

This vulnerability affects all users in all active release lines: 18.x, 20.x, and 21.x.

Comment 2 Robb Gatica 2024-02-16 17:37:27 UTC
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2264576]


Created nodejs18 tracking bugs for this issue:

Affects: fedora-all [bug 2264577]


Created nodejs20 tracking bugs for this issue:

Affects: fedora-all [bug 2264578]

Comment 4 Sandipan Roy 2024-02-19 04:11:01 UTC
Created nodejs16 tracking bugs for this issue:

Affects: fedora-all [bug 2264806]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2264804]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2264805]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2264807]

Comment 9 errata-xmlrpc 2024-03-18 10:41:39 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2024:1354 https://access.redhat.com/errata/RHSA-2024:1354

Comment 10 errata-xmlrpc 2024-03-19 17:45:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1424 https://access.redhat.com/errata/RHSA-2024:1424

Comment 11 errata-xmlrpc 2024-03-20 10:00:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1438 https://access.redhat.com/errata/RHSA-2024:1438

Comment 12 errata-xmlrpc 2024-03-20 16:55:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1444 https://access.redhat.com/errata/RHSA-2024:1444

Comment 15 errata-xmlrpc 2024-03-26 09:22:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1510 https://access.redhat.com/errata/RHSA-2024:1510

Comment 16 errata-xmlrpc 2024-04-04 16:07:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1678 https://access.redhat.com/errata/RHSA-2024:1678

Comment 17 errata-xmlrpc 2024-04-08 08:49:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1688 https://access.redhat.com/errata/RHSA-2024:1688

Comment 18 errata-xmlrpc 2024-04-08 09:04:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1687 https://access.redhat.com/errata/RHSA-2024:1687


Note You need to log in before you can comment on or make changes to this bug.