-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability (CVE-2024-22025) describes a DoS in Node.js fetch() due to resource exhaustion when always decoding Brotli from an untrusted URL. The fix was identified in Node.js version 20.11.1, specifically commit c213910aeae13e259cbe1cdd065d53bb58a4e94c which modified lib/zlib.js.
processCallback within lib/zlib.js. This function didn't properly pause data processing when the output stream buffer was full, leading to memory exhaustion. This is the most direct site of the vulnerability.BrotliDecompress class (specifically methods like _transform or write) uses this flawed processCallback logic. When fetch handles a Brotli-encoded response, it employs BrotliDecompress, making its methods part of the vulnerable execution path.fetch function is the high-level API that initiates the process. It takes an untrusted URL and, by always attempting Brotli decoding for relevant responses, it triggers the use of the vulnerable BrotliDecompress stream.
Thus, fetch is the entry point, BrotliDecompress.prototype._transform (or similar stream methods) is the component processing the malicious data using the flawed mechanism, and processCallback is where the actual logical error causing the resource exhaustion resided.Ongoing coverage of React2Shell