Internet Bug Bounty: Libuv: Improper Domain Lookup that potentially leads to SSRF attacks

2024-03-2118:47:15

hunt1

hackerone.com

$4860

internet bug bounty

libuv

vulnerability

ssrf attacks

node.js

ctf competition

libuv team

hackerone

collaboration

cve-2024-24806

internal api access

poc

advisory

6.6 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

44.3%

JSON

I recently encountered a challenge in a CTF competition that led me to discover a vulnerability within Node.js, present in all versions after v10. Upon further investigation and code debugging, it became apparent that the vulnerability originated from its direct dependency, libuv.

I submitted a report to the Node.js team via HackerOne, and they subsequently connected me with the libuv team. This collaboration resulted in the identification and resolution of the vulnerability, now recorded as CVE-2024-24806.

Impact

This vulnerability could allow an attacker to craft payloads that results in SSRF attacks andInternal API Access. Full explanation of vulnerability, PoC and sample scenarios are provided within the original report:
https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6