CVE-2024-22019: 
npm vulnerability analysis and mitigation

A vulnerability in Node.js HTTP servers (CVE-2024-22019) allows attackers to send specially crafted HTTP requests with chunked encoding, leading to resource exhaustion and denial of service (DoS). The vulnerability was discovered and disclosed in February 2024, affecting all active Node.js release lines: 18.x, 20.x, and 21.x. The issue has been assigned a CVSS v3.0 base score of 7.5 (HIGH) (HackerOne).

The vulnerability exploits the lack of limitations on chunk extension bytes in Node.js HTTP servers. When processing HTTP requests with chunked encoding, the server reads an unbounded number of bytes from a single connection. This unbounded reading bypasses standard safeguards such as timeouts and body size limits (NodeJS Blog).

The successful exploitation of this vulnerability can cause CPU and network bandwidth exhaustion, leading to denial of service conditions. The attack can effectively bypass standard resource usage safeguards, potentially impacting the availability of Node.js HTTP servers (NodeJS Blog, NetApp Advisory).

The vulnerability has been patched in Node.js versions 18.19.1, 20.11.1, and 21.6.2. Users are strongly advised to upgrade to these or later versions to address the security issue (OSS Security).