Medium severity6.5NVD Advisory· Published Mar 19, 2024· Updated Apr 15, 2026

CVE-2024-22025

Description

A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL. An attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

hackerone.com/reports/2284065nvd
lists.debian.org/debian-lts-announce/2024/03/msg00029.htmlnvd
lists.debian.org/debian-lts-announce/2024/09/msg00029.htmlnvd
security.netapp.com/advisory/ntap-20240517-0008/nvd

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000