A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits. This vulnerability affects all users in all active release lines: 18.x, 20.x, and 21.x.
References: https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#reading-unprocessed-http-request-with-unbounded-chunk-extension-allows-dos-attacks-cve-2024-22019---high https://nodejs.org/en/blog/release/v18.19.1
Created nodejs tracking bugs for this issue: Affects: epel-all [bug 2264576] Created nodejs18 tracking bugs for this issue: Affects: fedora-all [bug 2264577] Created nodejs20 tracking bugs for this issue: Affects: fedora-all [bug 2264578]
Created nodejs16 tracking bugs for this issue: Affects: fedora-all [bug 2264806] Created nodejs:13/nodejs tracking bugs for this issue: Affects: epel-all [bug 2264804] Created nodejs:16-epel/nodejs tracking bugs for this issue: Affects: epel-all [bug 2264805] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2264807]
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2024:1354 https://access.redhat.com/errata/RHSA-2024:1354
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2024:1424 https://access.redhat.com/errata/RHSA-2024:1424
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:1438 https://access.redhat.com/errata/RHSA-2024:1438
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:1444 https://access.redhat.com/errata/RHSA-2024:1444
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:1510 https://access.redhat.com/errata/RHSA-2024:1510
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:1678 https://access.redhat.com/errata/RHSA-2024:1678
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:1688 https://access.redhat.com/errata/RHSA-2024:1688
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:1687 https://access.redhat.com/errata/RHSA-2024:1687
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:1880 https://access.redhat.com/errata/RHSA-2024:1880
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:1932 https://access.redhat.com/errata/RHSA-2024:1932
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:2651 https://access.redhat.com/errata/RHSA-2024:2651
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:2793 https://access.redhat.com/errata/RHSA-2024:2793