GitHub_MVULNRICHMENT:CVE-2024-32652CVE-2024-32652 @hono/node-server contains Denial of Service risk when receiving Host header that cannot be parsed
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SSVC
Exploitation
none
Automatable
yes
Technical Impact
partial
The adapter @hono/node-server allows you to run your Hono application on Node.js. Prior to 1.10.1, the application hangs when receiving a Host header with a value that @hono/node-server can’t handle well. Invalid values are those that cannot be parsed by the URL as a hostname such as an empty string, slashes /, and other strings. The version 1.10.1 includes the fix for this issue.
ADP Affected
[
{
"cpes": [
"cpe:2.3:a:hono:node-server:*:*:*:*:*:node.js:*:*"
],
"vendor": "hono",
"product": "node-server",
"versions": [
{
"status": "affected",
"version": "1.3.0",
"lessThan": "1.10.1",
"versionType": "custom"
}
],
"defaultStatus": "unknown"
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SSVC
Exploitation
none
Automatable
yes
Technical Impact
partial