By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2024-22019

Denial of Service
Affects
Node.js
<21.6.2, <20.11.1, <v18.19.1, <= 16.20.2, <=v14.21.3, <= v12.22.12
in
Node.js
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Node.js, a widely used JavaScript runtime built on Chrome's V8 engine, is affected by a medium vulnerability in its HTTP server. A flaw was found in Node.js due to a lack of safeguards on chunk extension bytes. The server may read an unbounded number of bytes from a single connection, which can allow an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and a denial of service.

Details

Module Info

  • Product: Node.js
  • Affected versions: <21.6.2, <20.11.1, <v18.19.1, <= 16.20.2, <=v14.21.3, <= v12.22.12
  • GitHub repository: https://github.com/nodejs/node
  • Fixed in: Node.js NES v12, v14, v16, v18

Vulnerability Info

This vulnerability arises from improper handling of chunk extensions in HTTP requests with Transfer-Encoding: chunked. The server does not adequately limit or reset chunk extensions, allowing an attacker to send excessively large or continuous chunk extensions, potentially leading to denial of service (DoS) or bypassing security controls.

This vulnerability is a serious risk for Node.js applications, requiring immediate attention and patching to prevent exploitation.

Proof Of Concept

A full reproduction:

   const server = http.createServer((req, res) => {
        req.on('end', () => {
            res.writeHead(200, { 'Content-Type': 'text/plain' });
            res.end('bye');
        });

        req.resume();
    });

    server.listen(0, () => {
        const sock = net.connect(server.address().port);
        let data = '';

        sock.on('data', (chunk) => data += chunk.toString('utf-8'));

        sock.on('end', function () {
            assert.strictEqual(data, 'HTTP/1.1 413 Payload Too Large\r\nConnection: close\r\n\r\n');
            server.close();
        });

        sock.end('' +
            'GET / HTTP/1.1\r\n' +
            'Host: localhost:8080\r\n' +
            'Transfer-Encoding: chunked\r\n\r\n' +
            '2;' + 'A'.repeat(20000) + '=bar\r\nAA\r\n' +
            '0\r\n\r\n'
        );
    });

Credits

  • Bartek Nowotarski (finder)

Mitigation

The v16, v14, v12 lines of the Node.js projects are End Of Life and will not receive any updates to address this issue.

Users of the affected components should apply one of the following mitigations:

  • Migrate affected applications away to EOL versions.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Pink arrow
Pink arrow
CVE-2024-22019
CVE-2024-22025
HD-2024-1409
HD-2024-1408
HD-2024-1407
CVE-2025-23087
CVE-2025-23088
CVE-2025-23089
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2024-22019
PROJECT Affected
Node.js
Versions Affected
<21.6.2, <20.11.1, <v18.19.1, <= 16.20.2, <=v14.21.3, <= v12.22.12
Published date
February 14, 2024
≈ Fix date
February 14, 2024
Fixed in
Node.js NES
Severity
High
Category
Denial of Service
Sign up for the latest vulnerability alerts fixed in
Node.js NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.