CVE-2022-24434
Denial of Service vulnerability in dicer
What is CVE-2022-24434 About?
This vulnerability is a Denial of Service (DoS) attack affecting the `dicer` package. A malicious attacker can crash a Node.js service by sending a specially crafted, modified form. This can lead to a complete denial of service and is relatively easy to exploit.
Affected Software
- dicer
- <=0.3.1
- org.webjars.npm:dicer
- <=0.3.0
Technical Details
The vulnerability lies within all versions of the `dicer` package. An attacker can craft a malicious form and send it to the server. This specially modified form exploits a weakness in how the `dicer` package processes form data, causing the Node.js service to crash. By sending this malicious form repeatedly in a loop, a complete and sustained denial of service can be achieved, making the service unavailable to legitimate users. The core attack vector is the HTTP form submission with manipulated content.
What is the Impact of CVE-2022-24434?
Successful exploitation may allow attackers to disrupt service availability by crashing the Node.js application, leading to a complete denial of service for legitimate users.
What is the Exploitability of CVE-2022-24434?
Exploitation of this vulnerability is of low to medium complexity, requiring the ability to send specifically crafted HTTP requests to the target server. No authentication is explicitly required, implying remote access is possible. Privilege requirements are low, as the attack targets the application's form processing rather than requiring elevated user permissions. The primary condition for success is the application's reliance on the vulnerable `dicer` package. The attack can be amplified by repeatedly sending the malicious form, ensuring a persistent denial of service. The risk factors that increase the likelihood of exploitation include publicly exposed Node.js services utilizing the affected package.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| nayankadamm | Link | PoC for CVE-2022-24434 |
What are the Available Fixes for CVE-2022-24434?
About the Fix from Resolved Security
The patch corrects logic in the Dicer and HeaderParser modules to prevent premature or repeated finish events and ensures that header parsing respects buffer boundaries and maximum header size limits. This addresses CVE-2022-24434 by fixing a flaw that allowed unbounded memory growth or process crashes due to inconsistent state tracking in multipart parsing, preventing denial of service attacks.
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/mscdex/dicer/pull/22
- https://github.com/mscdex/dicer
- https://github.com/mscdex/dicer/commit/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac
- https://osv.dev/vulnerability/GHSA-wm7h-9275-46v2
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865
- https://github.com/mscdex/busboy/issues/250
- https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac
- https://github.com/mscdex/dicer/pull/22
- https://snyk.io/vuln/SNYK-JS-DICER-2311764
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865
What are Similar Vulnerabilities to CVE-2022-24434?
Similar Vulnerabilities: CVE-2022-22970 , CVE-2022-3517 , CVE-2022-25858 , CVE-2022-31030 , CVE-2022-29078
