Home > Vulnerability Database > CVE-2024-22025

Mend.io Vulnerability Database

CVE-2024-22025

Good to know:

Date: March 19, 2024

A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL. An attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration.

Language: JS

Severity Score

7.5

Related Resources (7)

Url: https://nodejs.org/en/blog/release/v18.19.1

Url: https://hackerone.com/reports/2284065

Url: https://github.com/nodejs/node/commit/f31d47e135973746c4f490d5eb635eded8bb3dda

Url: https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html

Url: https://security-tracker.debian.org/tracker/CVE-2024-22025

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-22025

Url: https://www.mend.io/vulnerability-database/CVE-2024-22025

Severity Score

7.5

Top Fix

Upgrade Version

Upgrade to version v18.19.1,v20.11.1,v21.6.2

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-22025

Good to know:

Date: March 19, 2024

Language: JS

Severity Score

Related Resources (7)

Severity Score

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?