CVE-2022-24434 Overview
CVE-2022-24434 is a denial-of-service vulnerability affecting all versions of the dicer Node.js package, a multipart/form-data parser used as a dependency by busboy and other upload-handling libraries. Attackers can submit a crafted multipart form to a vulnerable server, triggering a crash in the Node.js process that handles the request. Because no authentication or user interaction is required, the payload can be replayed continuously to keep the service offline. The issue is tracked by Snyk as SNYK-JS-DICER-2311764 and SNYK-JAVA-ORGWEBJARSNPM-2838865.
Critical Impact
Unauthenticated remote attackers can repeatedly crash any Node.js service that uses dicer or a downstream library such as busboy to parse multipart form uploads.
Affected Products
- dicer package — all versions (npm)
- busboy and other Node.js libraries that depend on dicer
- Java WebJars repackaging of dicer (org.webjars.npm:dicer)
Discovery Timeline
- 2022-05-20 - CVE-2022-24434 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-24434
Vulnerability Analysis
The vulnerability is a denial-of-service flaw in dicer, a streaming multipart parser written in JavaScript. The package is widely embedded in higher-level libraries such as busboy, which in turn underpins frameworks including Express middleware for file uploads. A specifically structured multipart payload causes the parser to throw an unhandled exception, which terminates the Node.js process when it bubbles up through the event loop.
Because the request is processed before any application-level authentication in most middleware stacks, attackers do not need credentials. Repeated submission of the malformed form keeps the service in a crash-restart loop, exhausting availability for legitimate users. The vulnerability is classified by NVD as NVD-CWE-noinfo and is referenced in the upstream tracker at busboy issue #250.
Root Cause
The root cause is improper handling of malformed multipart boundary data inside dicer's streaming parser. When the parser encounters input that violates its expected state transitions, it raises an error that is not caught by an internal handler. Node.js treats the uncaught exception as fatal and exits the worker process. See the proposed fix in dicer pull request #22 and the commit b7fca2e for the parser-level remediation.
Attack Vector
Exploitation occurs over the network against any HTTP endpoint that accepts multipart/form-data and routes it through dicer or busboy. The attacker submits a modified multipart form whose structure triggers the parser fault. No privileges, user interaction, or prior reconnaissance are required. Because the crash affects the entire Node.js process, single-process deployments and services without supervisor-based restart logic suffer extended outages. The vulnerability does not impact confidentiality or integrity.
No verified proof-of-concept code is published in the referenced advisories. Refer to the Snyk JavaScript advisory for additional technical context.
Detection Methods for CVE-2022-24434
Indicators of Compromise
- Repeated abnormal terminations of Node.js worker processes shortly after receiving multipart/form-data POST requests.
- Unhandled exception stack traces in application logs referencing dicer or busboy parser internals.
- Process supervisors such as pm2, systemd, or Kubernetes reporting elevated restart counts on upload-handling pods.
- Spikes in 5xx responses correlated with multipart upload traffic from a small set of source IP addresses.
Detection Strategies
- Inventory Node.js applications with software composition analysis tools and flag any direct or transitive dependency on dicer or vulnerable busboy versions.
- Enable Node.js process.on('uncaughtException') instrumentation and forward events to a centralized log pipeline for correlation.
- Apply web application firewall rules that inspect multipart boundaries for malformed structures and rate-limit anomalous upload patterns.
Monitoring Recommendations
- Alert on sustained Node.js process restart rates above baseline, particularly on services exposing file upload endpoints.
- Correlate HTTP request logs with process lifecycle events to identify request patterns that precede crashes.
- Track outbound dependency advisories from npm audit and Snyk feeds for dicer and busboy to catch new regressions.
How to Mitigate CVE-2022-24434
Immediate Actions Required
- Audit all Node.js services with npm ls dicer and npm ls busboy to enumerate direct and transitive usage.
- Upgrade busboy to a release that no longer depends on vulnerable dicer code paths, and rebuild dependent applications.
- Restrict upload endpoints behind authentication or a reverse proxy with strict request size and content-type validation until patching is complete.
- Ensure all Node.js processes run under a supervisor that restarts crashed workers to limit single-payload outages.
Patch Information
The upstream fix is tracked in dicer pull request #22, with the parser change in commit b7fca2e. Because dicer itself is no longer actively maintained, the practical remediation is to migrate to a maintained successor such as current busboy releases that have removed or replaced the vulnerable parser, or to switch to an alternative multipart parser. Java consumers using WebJars should update the org.webjars.npm:dicer artifact accordingly.
Workarounds
- Place a reverse proxy or WAF in front of the application to reject malformed multipart/form-data requests before they reach Node.js.
- Enforce strict Content-Length, boundary, and part-count limits at the proxy layer to reduce attack surface.
- Run upload handlers in isolated worker processes or containers so that a crash does not affect unrelated application functionality.
# Configuration example
npm ls dicer
npm ls busboy
npm update busboy
npm audit fix
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
