CVE-2024-22025 Overview
A Denial of Service (DoS) vulnerability has been identified in Node.js affecting the fetch() function. This vulnerability allows attackers to cause resource exhaustion when the function retrieves content from an untrusted URL. The issue arises because Node.js always decodes Brotli compression without proper resource limits, enabling malicious actors to craft responses that consume excessive memory resources.
Critical Impact
An attacker controlling a URL passed to fetch() can exploit this vulnerability to exhaust system memory, potentially leading to process termination depending on system configuration.
Affected Products
- Node.js (versions using the vulnerable fetch() implementation)
- Debian Linux (addressed in LTS advisories)
- NetApp products (see NetApp Security Advisory ntap-20240517-0008)
Discovery Timeline
- 2024-03-19 - CVE-2024-22025 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2024-22025
Vulnerability Analysis
This vulnerability is classified as CWE-404 (Improper Resource Shutdown or Release) and manifests in the Brotli decompression handling within Node.js's fetch() API. When a Node.js application uses fetch() to retrieve content from an external URL, the function automatically decodes Brotli-compressed responses without implementing adequate safeguards against decompression bombs or excessively large decompressed outputs.
The attack requires user interaction in the sense that a user or application must be tricked into fetching content from a malicious URL. However, the attack itself can be executed remotely over the network without any authentication requirements. The vulnerability exclusively impacts system availability without compromising data confidentiality or integrity.
Root Cause
The root cause lies in the unconditional Brotli decompression behavior of the fetch() function. When processing HTTP responses, Node.js automatically applies Brotli decompression to appropriately encoded content without enforcing limits on the resulting decompressed data size. This design allows an attacker-controlled server to send a small, highly compressed payload that expands to a massive size in memory during decompression.
Attack Vector
The attack vector is network-based and requires an attacker to control or compromise a URL that will be fetched by the vulnerable Node.js application. The exploitation scenario typically involves:
- The attacker hosts or controls a malicious server that serves Brotli-compressed content
- The victim application calls fetch() with the attacker-controlled URL
- The malicious server responds with a small Brotli-compressed payload designed to expand dramatically
- Node.js automatically decompresses the response, consuming excessive memory
- Memory exhaustion occurs, potentially crashing the Node.js process
The vulnerability is particularly dangerous in scenarios where user-supplied URLs are fetched server-side, such as URL preview features, web scraping functionality, or API integrations that fetch external resources.
Detection Methods for CVE-2024-22025
Indicators of Compromise
- Unusual memory consumption spikes in Node.js processes, particularly during HTTP fetch operations
- Process crashes or out-of-memory (OOM) terminations in applications using fetch() with external URLs
- Network traffic showing small inbound responses with Content-Encoding: br headers followed by memory exhaustion
- Application logs indicating memory allocation failures or heap limit exceeded errors
Detection Strategies
- Monitor Node.js process memory usage and set alerting thresholds for abnormal growth patterns
- Implement application-level logging for all fetch() calls to external URLs, including response sizes
- Deploy network monitoring to identify unusually small Brotli-encoded responses from suspicious sources
- Use runtime application self-protection (RASP) tools to detect and block resource exhaustion attacks
Monitoring Recommendations
- Enable memory profiling in production Node.js applications to baseline normal memory consumption
- Configure container or process memory limits with appropriate restart policies to prevent system-wide impact
- Implement URL allowlisting where possible to restrict fetch() destinations to trusted domains
- Monitor for repeated crash-restart cycles in Node.js services which may indicate active exploitation attempts
How to Mitigate CVE-2024-22025
Immediate Actions Required
- Update Node.js to the latest patched version that addresses CVE-2024-22025
- Audit application code to identify all uses of fetch() with user-controlled or external URLs
- Implement URL validation and allowlisting to restrict which domains can be fetched
- Configure process memory limits and monitoring to contain potential exploitation impact
Patch Information
Security patches addressing this vulnerability have been released. Refer to the official advisories for specific patch information:
- HackerOne Report #2284065 - Original vulnerability report
- Debian LTS Advisory March 2024 - Debian package updates
- Debian LTS Advisory September 2024 - Additional Debian updates
- NetApp Security Advisory ntap-20240517-0008 - NetApp product guidance
Workarounds
- Implement a proxy layer that validates and limits response sizes before passing content to Node.js applications
- Use alternative HTTP client libraries that provide explicit control over decompression behavior and size limits
- Deploy application-level timeouts and memory limits on fetch() operations to prevent unbounded resource consumption
- Avoid using fetch() with untrusted URLs; use server-side URL validation and sanitization when external fetching is required
# Example: Setting Node.js memory limits to contain DoS impact
node --max-old-space-size=512 app.js
# Example: Using process manager with memory limits
pm2 start app.js --max-memory-restart 500M
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
