Bug 2264574 (CVE-2024-22019) - CVE-2024-22019 nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks
Summary: CVE-2024-22019 nodejs: reading unprocessed HTTP request with unbounded chunk ...
Keywords:
Status: NEW
Alias: CVE-2024-22019
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2264576 2264577 2264578 2264804 2264805 2264806 2264807 2265709 2271423
Blocks: 2264565
TreeView+ depends on / blocked
 
Reported: 2024-02-16 17:30 UTC by Robb Gatica
Modified: 2024-05-09 09:49 UTC (History)
4 users (show)

Fixed In Version: node 18.19.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Node.js due to a lack of safeguards on chunk extension bytes. The server may read an unbounded number of bytes from a single connection, which can allow an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:1369 0 None None None 2024-03-19 06:28:21 UTC
Red Hat Product Errata RHBA-2024:1370 0 None None None 2024-03-19 06:30:45 UTC
Red Hat Product Errata RHBA-2024:1442 0 None None None 2024-03-20 12:27:59 UTC
Red Hat Product Errata RHBA-2024:1470 0 None None None 2024-03-21 13:31:19 UTC
Red Hat Product Errata RHBA-2024:1528 0 None None None 2024-03-26 15:30:55 UTC
Red Hat Product Errata RHBA-2024:1587 0 None None None 2024-04-01 20:32:25 UTC
Red Hat Product Errata RHBA-2024:1695 0 None None None 2024-04-08 12:30:24 UTC
Red Hat Product Errata RHBA-2024:1702 0 None None None 2024-04-08 22:46:21 UTC
Red Hat Product Errata RHBA-2024:1709 0 None None None 2024-04-09 11:15:40 UTC
Red Hat Product Errata RHBA-2024:1710 0 None None None 2024-04-09 11:12:46 UTC
Red Hat Product Errata RHBA-2024:1711 0 None None None 2024-04-09 11:21:50 UTC
Red Hat Product Errata RHBA-2024:1712 0 None None None 2024-04-09 11:25:13 UTC
Red Hat Product Errata RHBA-2024:1745 0 None None None 2024-04-10 01:13:40 UTC
Red Hat Product Errata RHBA-2024:1749 0 None None None 2024-04-10 08:48:56 UTC
Red Hat Product Errata RHBA-2024:1774 0 None None None 2024-04-10 19:45:54 UTC
Red Hat Product Errata RHBA-2024:1776 0 None None None 2024-04-11 07:02:51 UTC
Red Hat Product Errata RHSA-2024:1354 0 None None None 2024-03-18 10:41:40 UTC
Red Hat Product Errata RHSA-2024:1424 0 None None None 2024-03-19 17:45:47 UTC
Red Hat Product Errata RHSA-2024:1438 0 None None None 2024-03-20 10:00:37 UTC
Red Hat Product Errata RHSA-2024:1444 0 None None None 2024-03-20 16:55:09 UTC
Red Hat Product Errata RHSA-2024:1510 0 None None None 2024-03-26 09:22:52 UTC
Red Hat Product Errata RHSA-2024:1678 0 None None None 2024-04-04 16:08:00 UTC
Red Hat Product Errata RHSA-2024:1687 0 None None None 2024-04-08 09:04:57 UTC
Red Hat Product Errata RHSA-2024:1688 0 None None None 2024-04-08 08:49:47 UTC
Red Hat Product Errata RHSA-2024:1880 0 None None None 2024-04-18 02:08:52 UTC
Red Hat Product Errata RHSA-2024:1932 0 None None None 2024-04-22 01:09:13 UTC
Red Hat Product Errata RHSA-2024:2651 0 None None None 2024-05-02 07:03:31 UTC
Red Hat Product Errata RHSA-2024:2793 0 None None None 2024-05-09 09:49:20 UTC

Description Robb Gatica 2024-02-16 17:30:00 UTC 
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.

This vulnerability affects all users in all active release lines: 18.x, 20.x, and 21.x.
Comment 1 Robb Gatica 2024-02-16 17:33:10 UTC 
References:
https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#reading-unprocessed-http-request-with-unbounded-chunk-extension-allows-dos-attacks-cve-2024-22019---high
https://nodejs.org/en/blog/release/v18.19.1
Comment 2 Robb Gatica 2024-02-16 17:37:27 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2264576]


Created nodejs18 tracking bugs for this issue:

Affects: fedora-all [bug 2264577]


Created nodejs20 tracking bugs for this issue:

Affects: fedora-all [bug 2264578]
Comment 4 Sandipan Roy 2024-02-19 04:11:01 UTC 
Created nodejs16 tracking bugs for this issue:

Affects: fedora-all [bug 2264806]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2264804]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2264805]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2264807]
Comment 9 errata-xmlrpc 2024-03-18 10:41:39 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2024:1354 https://access.redhat.com/errata/RHSA-2024:1354
Comment 10 errata-xmlrpc 2024-03-19 17:45:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1424 https://access.redhat.com/errata/RHSA-2024:1424
Comment 11 errata-xmlrpc 2024-03-20 10:00:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1438 https://access.redhat.com/errata/RHSA-2024:1438
Comment 12 errata-xmlrpc 2024-03-20 16:55:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1444 https://access.redhat.com/errata/RHSA-2024:1444
Comment 15 errata-xmlrpc 2024-03-26 09:22:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1510 https://access.redhat.com/errata/RHSA-2024:1510
Comment 16 errata-xmlrpc 2024-04-04 16:07:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1678 https://access.redhat.com/errata/RHSA-2024:1678
Comment 17 errata-xmlrpc 2024-04-08 08:49:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1688 https://access.redhat.com/errata/RHSA-2024:1688
Comment 18 errata-xmlrpc 2024-04-08 09:04:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1687 https://access.redhat.com/errata/RHSA-2024:1687
Comment 19 errata-xmlrpc 2024-04-18 02:08:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1880 https://access.redhat.com/errata/RHSA-2024:1880
Comment 20 errata-xmlrpc 2024-04-22 01:09:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1932 https://access.redhat.com/errata/RHSA-2024:1932
Comment 21 errata-xmlrpc 2024-05-02 07:03:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:2651 https://access.redhat.com/errata/RHSA-2024:2651
Comment 22 errata-xmlrpc 2024-05-09 09:49:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:2793 https://access.redhat.com/errata/RHSA-2024:2793
Note You need to log in before you can comment on or make changes to this bug.