{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-22025", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2024-01-04T01:04:06.574Z", "datePublished": "2024-03-19T04:32:34.211Z", "dateUpdated": "2024-10-30T20:32:19.711Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL.\nThe vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL.\nAn attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration."}], "affected": [{"defaultStatus": "unaffected", "vendor": "Node.js", "product": "Node.js", "versions": [{"version": "20.11.0", "status": "affected", "lessThanOrEqual": "20.11.0", "versionType": "semver"}, {"version": "21.6.1", "status": "affected", "lessThanOrEqual": "21.6.1", "versionType": "semver"}, {"version": "18.19.0", "status": "affected", "lessThanOrEqual": "18.19.0", "versionType": "semver"}]}], "references": [{"url": "https://hackerone.com/reports/2284065"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html"}, {"url": "https://security.netapp.com/advisory/ntap-20240517-0008/"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2024-03-19T04:32:34.211Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:35:34.825Z"}, "title": "CVE Program Container", "references": [{"url": "https://hackerone.com/reports/2284065", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240517-0008/", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-404", "lang": "en", "description": "CWE-404 Improper Resource Shutdown or Release"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-21T20:30:35.279155Z", "id": "CVE-2024-22025", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-30T20:32:19.711Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://hackerone.com/reports/2284065", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240517-0008/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:35:34.825Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-22025", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-21T20:30:35.279155Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-404", "description": "CWE-404 Improper Resource Shutdown or Release"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-21T20:39:17.683Z"}}], "cna": {"metrics": [{"cvssV3_0": {"version": "3.0", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}}], "affected": [{"vendor": "Node.js", "product": "Node.js", "versions": [{"status": "affected", "version": "20.11.0", "versionType": "semver", "lessThanOrEqual": "20.11.0"}, {"status": "affected", "version": "21.6.1", "versionType": "semver", "lessThanOrEqual": "21.6.1"}, {"status": "affected", "version": "18.19.0", "versionType": "semver", "lessThanOrEqual": "18.19.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://hackerone.com/reports/2284065"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html"}, {"url": "https://security.netapp.com/advisory/ntap-20240517-0008/"}], "descriptions": [{"lang": "en", "value": "A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL.\nThe vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL.\nAn attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2024-03-19T04:32:34.211Z"}}}, "cveMetadata": {"cveId": "CVE-2024-22025", "state": "PUBLISHED", "dateUpdated": "2024-10-30T20:32:19.711Z", "dateReserved": "2024-01-04T01:04:06.574Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2024-03-19T04:32:34.211Z", "assignerShortName": "hackerone"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL.\nThe vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL.\nAn attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en Node.js, que permite un ataque de denegaci\u00f3n de servicio (DoS) por agotamiento de recursos cuando se utiliza la funci\u00f3n fetch() para recuperar contenido de una URL que no es de confianza. La vulnerabilidad surge del hecho de que la funci\u00f3n fetch() en Node.js siempre decodifica Brotli, lo que hace posible que un atacante provoque el agotamiento de los recursos al recuperar contenido de una URL que no es de confianza. Un atacante que controle la URL pasada a fetch() puede aprovechar esta vulnerabilidad para agotar la memoria, lo que podr\u00eda provocar la terminaci\u00f3n del proceso, seg\u00fan la configuraci\u00f3n del sistema."}], "id": "CVE-2024-22025", "lastModified": "2024-11-21T08:55:25.347", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2024-03-19T05:15:10.267", "references": [{"source": "support@hackerone.com", "url": "https://hackerone.com/reports/2284065"}, {"source": "support@hackerone.com", "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html"}, {"source": "support@hackerone.com", "url": "https://security.netapp.com/advisory/ntap-20240517-0008/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://hackerone.com/reports/2284065"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240517-0008/"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-404"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:2778", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:20-8090020240422150739.a75119d5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-09T00:00:00Z"}, {"advisory": "RHSA-2024:2780", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:18-8090020240429131734.a75119d5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-09T00:00:00Z"}, {"advisory": "RHSA-2024:2779", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "nodejs:18-9040020240422140329.rhel9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-05-09T00:00:00Z"}, {"advisory": "RHSA-2024:2853", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "nodejs:20-9040020240419140200.rhel9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-05-15T00:00:00Z"}, {"advisory": "RHSA-2024:2910", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "nodejs-1:16.20.2-8.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-05-20T00:00:00Z"}, {"advisory": "RHSA-2024:4721", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "nodejs-1:16.20.2-9.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-07-23T00:00:00Z"}, {"advisory": "RHSA-2024:4559", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "nodejs-1:16.20.2-6.el9_2.3", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-07-16T00:00:00Z"}], "bugzilla": {"description": "nodejs: using the fetch() function to retrieve content from an untrusted URL leads to denial of service", "id": "2270559", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270559"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL.\nThe vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL.\nAn attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration.", "A flaw was found in Node.js that allows a denial of service attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fetch() function in Node.js that always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL. This flaw allows an attacker to control the URL passed into fetch() to exhaust memory, potentially leading to process termination, depending on the system configuration."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-22025", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "nodejs:16/nodejs", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2024-03-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-22025\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-22025"], "statement": "The identified flaw in Node.js, which involves the fetch() function always decoding Brotli content regardless of its source, represents a moderate severity issue due to its potential to facilitate denial of service attacks through resource exhaustion. This vulnerability allows malicious actors to manipulate the URL parameter passed into fetch(), exploiting the consistent Brotli decoding behavior to overwhelm system memory resources. While the impact is constrained to process termination, its severity is moderated by the requirement for specific conditions, such as untrusted URLs and system configurations.", "threat_severity": "Moderate"}