CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
AI Score
Confidence
High
EPSS
Percentile
39.9%
libuv is a multi-platform support library with a focus on asynchronous I/O. The uv_getaddrinfo
function in src/unix/getaddrinfo.c
(and its windows counterpart src/win/getaddrinfo.c
), truncates hostnames to 256 characters before calling getaddrinfo
. This behavior can be exploited to create addresses like 0x00007f000001
, which are considered valid by getaddrinfo
and could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks. The vulnerability arises due to how the hostname_ascii
variable (with a length of 256 bytes) is handled in uv_getaddrinfo
and subsequently in uv__idna_toascii
. When the hostname exceeds 256 characters, it gets truncated without a terminating null byte. As a result attackers may be able to access internal APIs or for websites (similar to MySpace) that allows users to have username.example.com
pages. Internal services that crawl or cache these user pages can be exposed to SSRF attacks if a malicious user chooses a long vulnerable username. This issue has been addressed in release version 1.48.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
[
{
"vendor": "libuv",
"product": "libuv",
"versions": [
{
"version": ">= 1.45.0, < 1.48.0",
"status": "affected"
}
]
}
]
www.openwall.com/lists/oss-security/2024/02/08/2
www.openwall.com/lists/oss-security/2024/02/11/1
www.openwall.com/lists/oss-security/2024/03/11/1
github.com/libuv/libuv/commit/0f2d7e784a256b54b2385043438848047bc2a629
github.com/libuv/libuv/commit/3530bcc30350d4a6ccf35d2f7b33e23292b9de70
github.com/libuv/libuv/commit/c858a147643de38a09dd4164758ae5b685f2b488
github.com/libuv/libuv/commit/e0327e1d508b8207c9150b6e582f0adf26213c39
github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6
gitlab.kitware.com/cmake/cmake/-/issues/26112
lists.debian.org/debian-lts-announce/2024/03/msg00005.html
security.netapp.com/advisory/ntap-20240605-0008/