CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
AI Score
Confidence
Low
EPSS
Percentile
39.9%
libuv is a multi-platform support library with a focus on asynchronous I/O.
The uv_getaddrinfo
function in src/unix/getaddrinfo.c
(and its windows
counterpart src/win/getaddrinfo.c
), truncates hostnames to 256 characters
before calling getaddrinfo
. This behavior can be exploited to create
addresses like 0x00007f000001
, which are considered valid by
getaddrinfo
and could allow an attacker to craft payloads that resolve to
unintended IP addresses, bypassing developer checks. The vulnerability
arises due to how the hostname_ascii
variable (with a length of 256
bytes) is handled in uv_getaddrinfo
and subsequently in
uv__idna_toascii
. When the hostname exceeds 256 characters, it gets
truncated without a terminating null byte. As a result attackers may be
able to access internal APIs or for websites (similar to MySpace) that
allows users to have username.example.com
pages. Internal services that
crawl or cache these user pages can be exposed to SSRF attacks if a
malicious user chooses a long vulnerable username. This issue has been
addressed in release version 1.48.0. Users are advised to upgrade. There
are no known workarounds for this vulnerability.
www.openwall.com/lists/oss-security/2024/02/08/2
github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6
launchpad.net/bugs/cve/CVE-2024-24806
nvd.nist.gov/vuln/detail/CVE-2024-24806
security-tracker.debian.org/tracker/CVE-2024-24806
ubuntu.com/security/notices/USN-6666-1
www.cve.org/CVERecord?id=CVE-2024-24806