CVE-2024-25142
Denial of Service vulnerability in apache-airflow (PyPI)
What is CVE-2024-25142 About?
This vulnerability is a Denial of Service (DoS) affecting node-static packages, where the server crashes due to an unhandled exception caused by null bytes in user input. An attacker can easily trigger this by accessing a specific crafted URL. Successful exploitation leads to server unavailability.
Affected Software
Technical Details
The vulnerability stems from the node-static package failing to properly handle or 'catch an exception' when user input contains null bytes (represented as '%00' in a URL). Specifically, if an attacker accesses a URL like http://host/%00, the server attempts to process this input. The presence of the null byte causes an unexpected condition within the server's file path resolution or resource handling logic, leading to an unhandled exception. Since this exception is not caught, the node.js process crashes, resulting in a Denial of Service for all users of the server. This is a direct server-side crash triggered by malformed input.
What is the Impact of CVE-2024-25142?
Successful exploitation may allow attackers to cause a Denial of Service (DoS), leading to significant application downtime, service unavailability, and interruption of normal operations.
What is the Exploitability of CVE-2024-25142?
Exploitation is straightforward and requires remote access to the web server. There are no authentication or special privilege requirements; an unauthenticated remote attacker can trigger the vulnerability by simply sending a malformed HTTP request containing a null byte in the URL path. The complexity is very low, as it's a direct trigger. The primary constraint is that the server must be running the vulnerable node-static package and be accessible over HTTP. The risk factor for exploitation is high due to its ease and the unauthenticated nature of the attack.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-25142?
Available Upgrade Options
- apache-airflow
- <2.9.2 → Upgrade to 2.9.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread/cg1j28lk0fhzthk0of1g7vy7p2n1j7nr
- https://github.com/apache/airflow/commit/94eb647de692a4d9555b02dce85974da5d4c04e3
- https://osv.dev/vulnerability/PYSEC-2024-195
- https://github.com/apache/airflow/pull/39550
- https://github.com/apache/airflow
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-195.yaml
- https://github.com/apache/airflow/pull/39550
- https://lists.apache.org/thread/cg1j28lk0fhzthk0of1g7vy7p2n1j7nr
- https://nvd.nist.gov/vuln/detail/CVE-2024-25142
- http://www.openwall.com/lists/oss-security/2024/06/13/1
What are Similar Vulnerabilities to CVE-2024-25142?
Similar Vulnerabilities: CVE-2023-45136 , CVE-2023-40182 , CVE-2022-26134 , CVE-2022-23067 , CVE-2021-3770
