CVE-2024-24806: 
npm vulnerability analysis and mitigation

CVE-2024-24806 is a vulnerability discovered in libuv, a multi-platform support library focused on asynchronous I/O. The vulnerability affects versions from 1.24.0 up to versions prior to 1.48.0, which was released in February 2024. The issue lies in how the hostname_ascii variable (with a length of 256 bytes) is handled in uv_getaddrinfo and its subsequent processing (GitHub Advisory).

The vulnerability occurs in the uv_getaddrinfo function in src/unix/getaddrinfo.c and its Windows counterpart src/win/getaddrinfo.c. When hostnames exceed 256 characters, they get truncated without a proper terminating null byte. This truncation behavior can be exploited to create addresses like 0x00007f000001, which getaddrinfo considers valid, potentially allowing attackers to craft payloads that resolve to unintended IP addresses (GitHub Advisory).

The vulnerability can lead to Server-Side Request Forgery (SSRF) attacks, allowing unauthorized access to internal APIs, particularly in environments with multiple pods (e.g., Kubernetes). Additionally, websites that allow users to have custom subdomains could be exposed to SSRF attacks if a malicious user chooses a long vulnerable username. The vulnerability has been rated as High severity with a CVSS score of 7.3 (NetApp Security).

The vulnerability has been fixed in libuv version 1.48.0. The fix includes proper zero-termination of IDNA output and rejection of zero-length IDNA inputs. Organizations using affected versions should upgrade to version 1.48.0 or later. Various vendors have also released patches for their products, including Red Hat Enterprise Linux and Debian (Red Hat Advisory, Debian LTS).