CVE-2024-22025

{"id": "CVE-2024-22025", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "support@hackerone.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2024-03-19T05:15:10.267", "references": [{"url": "https://hackerone.com/reports/2284065", "source": "support@hackerone.com"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html", "source": "support@hackerone.com"}, {"url": "https://security.netapp.com/advisory/ntap-20240517-0008/", "source": "support@hackerone.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-404"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL.\nThe vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL.\nAn attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en Node.js, que permite un ataque de denegaci\u00f3n de servicio (DoS) por agotamiento de recursos cuando se utiliza la funci\u00f3n fetch() para recuperar contenido de una URL que no es de confianza. La vulnerabilidad surge del hecho de que la funci\u00f3n fetch() en Node.js siempre decodifica Brotli, lo que hace posible que un atacante provoque el agotamiento de los recursos al recuperar contenido de una URL que no es de confianza. Un atacante que controle la URL pasada a fetch() puede aprovechar esta vulnerabilidad para agotar la memoria, lo que podr\u00eda provocar la terminaci\u00f3n del proceso, seg\u00fan la configuraci\u00f3n del sistema."}], "lastModified": "2024-10-30T21:35:00.717", "sourceIdentifier": "support@hackerone.com"}