A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | nodejs | <=ย 18.13.0+dfsg1-1 | nodejs_18.13.0+dfsg1-1_all.deb |
Debian | 11 | all | nodejs | <=ย 12.22.12~dfsg-1~deb11u4 | nodejs_12.22.12~dfsg-1~deb11u4_all.deb |
Debian | 10 | all | nodejs | <ย 10.24.0~dfsg-1~deb10u1 | nodejs_10.24.0~dfsg-1~deb10u1_all.deb |
Debian | 999 | all | nodejs | <ย 18.19.1+dfsg-1 | nodejs_18.19.1+dfsg-1_all.deb |
Debian | 13 | all | nodejs | <ย 18.19.1+dfsg-1 | nodejs_18.19.1+dfsg-1_all.deb |