{"id":"BIT-node-min-2024-22019","details":"A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.","aliases":["BIT-node-2024-22019","CVE-2024-22019"],"modified":"2026-02-11T09:32:42.549403Z","published":"2024-12-16T13:54:43.219Z","database_specific":{"cpes":["cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*"],"severity":"High"},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/03/11/1"},{"type":"WEB","url":"https://hackerone.com/reports/2233486"},{"type":"WEB","url":"https://security.netapp.com/advisory/ntap-20240315-0004/"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22019"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00029.html"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpuapr2024.html"}],"affected":[{"package":{"name":"node-min","ecosystem":"Bitnami","purl":"pkg:bitnami/node-min"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"18.19.1"},{"introduced":"19.0.0"},{"fixed":"20.11.1"},{"introduced":"21.0.0"},{"fixed":"21.6.2"}]}],"database_specific":{"source":"https://github.com/bitnami/vulndb/tree/main/data/node-min/BIT-node-min-2024-22019.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}],"schema_version":"1.7.3"}