VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-xhbn-z77y-d7c6

Essentials
Severities (25)
References (15)
Severity details (7)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-xhbn-z77y-d7c6
Aliases	CVE-2024-22025
Summary	A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL. An attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration.
Status	Published
Exploitability	0.5
Weighted Severity	5.9
Risk	3.0
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-400

Uncontrolled Resource Consumption

System	Score	Found at
cvssv3	6.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-22025.json
epss	0.00281	https://api.first.org/data/v1/epss?cve=CVE-2024-22025
epss	0.00281	https://api.first.org/data/v1/epss?cve=CVE-2024-22025
epss	0.00281	https://api.first.org/data/v1/epss?cve=CVE-2024-22025
epss	0.00281	https://api.first.org/data/v1/epss?cve=CVE-2024-22025
epss	0.00281	https://api.first.org/data/v1/epss?cve=CVE-2024-22025
epss	0.00334	https://api.first.org/data/v1/epss?cve=CVE-2024-22025
epss	0.00334	https://api.first.org/data/v1/epss?cve=CVE-2024-22025
epss	0.00334	https://api.first.org/data/v1/epss?cve=CVE-2024-22025
epss	0.00334	https://api.first.org/data/v1/epss?cve=CVE-2024-22025
epss	0.00334	https://api.first.org/data/v1/epss?cve=CVE-2024-22025
epss	0.00334	https://api.first.org/data/v1/epss?cve=CVE-2024-22025
epss	0.00404	https://api.first.org/data/v1/epss?cve=CVE-2024-22025
epss	0.00404	https://api.first.org/data/v1/epss?cve=CVE-2024-22025
epss	0.00404	https://api.first.org/data/v1/epss?cve=CVE-2024-22025
epss	0.00404	https://api.first.org/data/v1/epss?cve=CVE-2024-22025
epss	0.00404	https://api.first.org/data/v1/epss?cve=CVE-2024-22025
epss	0.00404	https://api.first.org/data/v1/epss?cve=CVE-2024-22025
epss	0.00404	https://api.first.org/data/v1/epss?cve=CVE-2024-22025
cvssv3	6.5	https://hackerone.com/reports/2284065
ssvc	Track	https://hackerone.com/reports/2284065
cvssv3	6.5	https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html
ssvc	Track	https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html
cvssv3	6.5	https://security.netapp.com/advisory/ntap-20240517-0008/
ssvc	Track	https://security.netapp.com/advisory/ntap-20240517-0008/

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-22025.json
		https://api.first.org/data/v1/epss?cve=CVE-2024-22025
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22025
2270559		https://bugzilla.redhat.com/show_bug.cgi?id=2270559
2284065		https://hackerone.com/reports/2284065
CVE-2024-22025		https://nvd.nist.gov/vuln/detail/CVE-2024-22025
msg00029.html		https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html
ntap-20240517-0008		https://security.netapp.com/advisory/ntap-20240517-0008/
RHSA-2024:2778		https://access.redhat.com/errata/RHSA-2024:2778
RHSA-2024:2779		https://access.redhat.com/errata/RHSA-2024:2779
RHSA-2024:2780		https://access.redhat.com/errata/RHSA-2024:2780
RHSA-2024:2853		https://access.redhat.com/errata/RHSA-2024:2853
RHSA-2024:2910		https://access.redhat.com/errata/RHSA-2024:2910
RHSA-2024:4559		https://access.redhat.com/errata/RHSA-2024:4559
RHSA-2024:4721		https://access.redhat.com/errata/RHSA-2024:4721

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-22025.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Found at https://hackerone.com/reports/2284065

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-21T20:30:35Z/ Found at https://hackerone.com/reports/2284065

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Found at https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-21T20:30:35Z/ Found at https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Found at https://security.netapp.com/advisory/ntap-20240517-0008/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-21T20:30:35Z/ Found at https://security.netapp.com/advisory/ntap-20240517-0008/

Exploit Prediction Scoring System (EPSS)

Percentile	0.51392
EPSS Score	0.00281
Published At	Aug. 1, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T09:14:30.163320+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2024/22xxx/CVE-2024-22025.json	37.0.0