A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Red Hat Enterprise Linux 8 | RedHat | nodejs:16-8090020240315081818.a75119d5 | * |
| Red Hat Enterprise Linux 8 | RedHat | nodejs:18-8090020240301110609.a75119d5 | * |
| Red Hat Enterprise Linux 8 | RedHat | nodejs:20-8090020240228165436.a75119d5 | * |
| Red Hat Enterprise Linux 8.6 Extended Update Support | RedHat | nodejs:16-8060020240318185600.ad008a3a | * |
| Red Hat Enterprise Linux 8.8 Extended Update Support | RedHat | nodejs:18-8080020240322102042.63b34585 | * |
| Red Hat Enterprise Linux 8.8 Extended Update Support | RedHat | nodejs:16-8080020240318185426.63b34585 | * |
| Red Hat Enterprise Linux 9 | RedHat | nodejs-1:16.20.2-4.el9_3 | * |
| Red Hat Enterprise Linux 9 | RedHat | nodejs:18-9030020240301111035.rhel9 | * |
| Red Hat Enterprise Linux 9 | RedHat | nodejs:20-9030020240229115828.rhel9 | * |
| Red Hat Enterprise Linux 9.0 Extended Update Support | RedHat | nodejs-1:16.20.2-4.el9_0 | * |
| Red Hat Enterprise Linux 9.2 Extended Update Support | RedHat | nodejs-1:16.20.2-4.el9_2 | * |
| Red Hat Enterprise Linux 9.2 Extended Update Support | RedHat | nodejs:18-9020020240322155241.rhel9 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | rh-nodejs14-nodejs-0:14.21.3-6.el7 | * |
| Nodejs | Ubuntu | bionic | * |
| Nodejs | Ubuntu | mantic | * |
| Nodejs | Ubuntu | trusty | * |
| Nodejs | Ubuntu | upstream | * |
| Nodejs | Ubuntu | xenial | * |