DEBIAN-CVE-2024-22019

DEBIAN-CVE-2024-22019 PUBLISHED CVSS 7.5 HIGH

A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

Vendor	Product	Versions
Debian:13	nodejs	0, 0, 0
Debian:14	nodejs	0, 0, 0
Debian:11	nodejs	12.22.12~dfsg-1~deb11u4, 12.22.4~dfsg-1, 12.22.5~dfsg-1
Debian:12	nodejs	0, 18.13.0+dfsg1-1, 18.13.0+dfsg1-1.1

Exploit Intelligence

cve_rules.hpp (github-poc)
nvd_db.cpp (github-poc)
GenerationConfig.java (github-poc)
SelfAdaptationGenerationConfig.java (github-poc)

Timeline

Feb 20, 2024 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2024-22019 advisory

Open in Interactive Console →