A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL.
The vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL.
An attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: hackerone
Published: 2024-03-19T04:32:34.211Z
Updated: 2024-08-21T20:39:21.144Z
Reserved: 2024-01-04T01:04:06.574Z
Link: CVE-2024-22025
Vulnrichment
Updated: 2024-08-01T22:35:34.825Z
NVD
Status : Awaiting Analysis
Published: 2024-03-19T05:15:10.267
Modified: 2024-06-10T18:15:25.577
Link: CVE-2024-22025
Redhat