CVE-2024-22019
- Source
- https://cve.org/CVERecord?id=CVE-2024-22019
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-22019.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-22019
- Aliases
- Downstream
- Related
- Published
- 2024-02-20T01:31:08.092Z
- Modified
- 2026-05-13T06:54:57.417941476Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.
- Database specific
{ "cna_assigner": "hackerone", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/22xxx/CVE-2024-22019.json", "unresolved_ranges": [ { "source": "AFFECTED_FIELD", "extracted_events": [ { "introduced": "4.0" }, { "fixed": "4.*" }, { "introduced": "5.0" }, { "fixed": "5.*" }, { "introduced": "6.0" }, { "fixed": "6.*" }, { "introduced": "7.0" }, { "fixed": "7.*" }, { "introduced": "8.0" }, { "fixed": "8.*" }, { "introduced": "9.0" }, { "fixed": "9.*" }, { "introduced": "10.0" }, { "fixed": "10.*" }, { "introduced": "11.0" }, { "fixed": "11.*" }, { "introduced": "12.0" }, { "fixed": "12.*" }, { "introduced": "13.0" }, { "fixed": "13.*" }, { "introduced": "14.0" }, { "fixed": "14.*" }, { "introduced": "15.0" }, { "fixed": "15.*" }, { "introduced": "16.0" }, { "fixed": "16.*" }, { "introduced": "17.0" }, { "fixed": "17.*" }, { "introduced": "18.0" }, { "fixed": "18.19.1" }, { "introduced": "19.0" }, { "fixed": "19.*" }, { "introduced": "20.0" }, { "fixed": "20.11.1" }, { "introduced": "21.0" }, { "fixed": "21.6.2" } ] } ] }- References
-
- http://www.openwall.com/lists/oss-security/2024/03/11/1
- https://hackerone.com/reports/2233486
- https://lists.debian.org/debian-lts-announce/2024/09/msg00029.html
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/22xxx/CVE-2024-22019.json
- https://nvd.nist.gov/vuln/detail/CVE-2024-22019
- https://security.netapp.com/advisory/ntap-20240315-0004/
Affected packages
Git / github.com/nodejs/node
Affected ranges
- Type
- GIT
- Repo
- https://github.com/nodejs/node
- Events
- Database specific
{ "source": "CPE_FIELD", "cpe": [ "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*" ], "extracted_events": [ { "introduced": "18.0.0" }, { "fixed": "18.19.1" }, { "introduced": "20.0.0" }, { "fixed": "20.11.1" }, { "introduced": "21.0.0" }, { "fixed": "21.6.2" } ] }
Affected versions
v18.*
v18.0.0
v18.1.0
v18.10.0
v18.11.0
v18.12.0
v18.12.1
v18.13.0
v18.14.0
v18.14.1
v18.14.2
v18.15.0
v18.16.0
v18.16.1
v18.17.0
v18.17.1
v18.18.0
v18.18.1
v18.18.2
v18.19.0
v18.2.0
v18.3.0
v18.4.0
v18.5.0
v18.6.0
v18.7.0
v18.8.0
v18.9.0
v18.9.1
v20.*
v20.0.0
v20.1.0
v20.10.0
v20.11.0
v20.2.0
v20.3.0
v20.3.1
v20.4.0
v20.5.0
v20.5.1
v20.6.0
v20.6.1
v20.7.0
v20.8.0
v20.8.1
v20.9.0
v21.*
v21.0.0
v21.1.0
v21.2.0
v21.3.0
v21.4.0
v21.5.0
v21.6.0
v21.6.1