CVE-2024-24806 Overview
CVE-2024-24806 affects libuv, a multi-platform support library focused on asynchronous I/O used by Node.js and many other projects. The uv_getaddrinfo function in src/unix/getaddrinfo.c and src/win/getaddrinfo.c truncates hostnames to 256 characters before calling getaddrinfo. Attackers can craft long hostnames that resolve to unintended IP addresses, bypassing developer-implemented hostname validation. The flaw enables Server-Side Request Forgery (SSRF) attacks [CWE-918] against services that crawl, cache, or proxy user-supplied hostnames such as username.example.com subdomain platforms.
Critical Impact
Attackers can bypass hostname allowlists and force internal services to resolve and connect to attacker-chosen IP addresses, exposing internal APIs to SSRF.
Affected Products
- libuv versions prior to 1.48.0
- Applications and runtimes embedding vulnerable libuv (including Node.js builds linked against affected versions)
- Downstream distributions including Debian LTS and NetApp products that bundle libuv
Discovery Timeline
- 2024-02-07 - CVE-2024-24806 published to the National Vulnerability Database (NVD)
- 2024-02-08 - Public discussion opened on the Openwall OSS-Security mailing list
- 2024-03-11 - Debian LTS advisory released for affected packages
- 2024-06-05 - NetApp security advisory published
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-24806
Vulnerability Analysis
The vulnerability stems from improper handling of the hostname_ascii buffer inside uv_getaddrinfo and uv__idna_toascii. The buffer is fixed at 256 bytes. When a caller supplies a hostname longer than 256 characters, libuv truncates the input without writing a terminating null byte. The resulting non-null-terminated buffer is then passed to the system resolver, which interprets adjacent stack data or truncated content as part of the address.
An attacker can craft inputs that result in addresses like 0x00007f000001, which getaddrinfo accepts as the loopback address 127.0.0.1. Developer-side hostname checks that inspect the original input string are bypassed because the resolver operates on the truncated, malformed value.
Root Cause
The root cause is a missing length check and missing null terminator in src/idna.c. The uv__idna_toascii function writes Punycode-encoded output into a destination buffer but did not guarantee a trailing \0 when the destination was fully consumed. The fix enforces input validation and reserves space for the terminator.
Attack Vector
An attacker submits a hostname exceeding 256 characters to an application that uses libuv for DNS resolution. The truncated hostname is parsed by getaddrinfo as a numeric IP literal, redirecting connections to attacker-chosen targets such as internal services on 127.0.0.1 or RFC1918 ranges. The attack requires no authentication and no user interaction, and it executes over the network.
// Patch in src/idna.c - always zero-terminate idna output
return rc;
}
- if (d < de)
- *d++ = '\0';
+ if (d >= de)
+ return UV_EINVAL;
+ *d++ = '\0';
return d - ds; /* Number of bytes written. */
}
Source: GitHub libuv Commit Fix
// Patch in src/idna.c - reject zero-length idna inputs
char* ds;
int rc;
+ if (s == se)
+ return UV_EINVAL;
+
ds = d;
si = s;
Source: GitHub libuv Commit Update
Detection Methods for CVE-2024-24806
Indicators of Compromise
- Outbound DNS or connection attempts originating from application servers toward loopback or internal RFC1918 addresses that were not part of expected business logic.
- Application logs containing hostname inputs exceeding 256 characters submitted to URL parsers or HTTP clients.
- Resolver behavior where input hostnames differ from the resolved target due to numeric IP literal interpretation.
Detection Strategies
- Inventory all applications and runtimes statically or dynamically linked against libuv and verify versions against 1.48.0.
- Inspect HTTP access and proxy logs for unusually long hostname fields, particularly in user-controlled URL parameters or subdomain inputs.
- Use software composition analysis (SCA) tools to flag vulnerable libuv versions inside Node.js and embedded application stacks.
Monitoring Recommendations
- Alert on egress connections from web crawler or preview services to internal IP ranges, including 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.
- Log and review hostname inputs longer than 255 characters at WAF and reverse-proxy layers.
- Track the GitHub Security Advisory GHSA-f74f-cvh7-c6q6 for updated guidance and downstream patches.
How to Mitigate CVE-2024-24806
Immediate Actions Required
- Upgrade libuv to version 1.48.0 or later across all systems and rebuild dependent applications.
- Update Node.js to a release that bundles patched libuv, and apply distribution updates referenced in the Debian LTS Announcement and NetApp Security Advisory.
- Enforce server-side hostname length limits before passing user-supplied values to DNS resolution or HTTP client libraries.
Patch Information
The fix is included in libuv release 1.48.0. The relevant upstream commits are 0f2d7e78, 3530bcc3, c858a147, and e0327e1d. Full details are published in the GitHub libuv Security Advisory.
Workarounds
- No vendor-supplied workarounds exist; upgrading is the only complete remediation.
- As a compensating control, reject hostnames longer than 255 characters at the application input layer.
- Block outbound traffic from application servers to internal networks unless explicitly required by business logic.
# Verify installed libuv version on Linux
ldconfig -p | grep libuv
dpkg -l | grep libuv1
# Node.js process_versions check
node -e "console.log(process.versions)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
