CVE-2024-26280
Denial of Service vulnerability in apache-airflow (PyPI)
What is CVE-2024-26280 About?
This vulnerability is a Denial of Service (DoS) affecting all versions of node-static packages. It allows attackers to crash the server by sending user input containing null bytes. This issue arises from the package's failure to catch an exception when processing such input. This renders the server unavailable and is easy to exploit.
Affected Software
Technical Details
The vulnerability, categorized as Denial of Service, affects all versions of node-static and @nubosoftware/node-static packages. It specifically occurs because the package's code base 'fails to catch an exception' that is triggered when user input, particularly within a URL path, includes 'null bytes' (e.g., http://host/%00). The presence of these null bytes causes an unexpected error condition or invalid path processing logic within the server. Since the exception is not appropriately handled, the Node.js application process terminates (crashes), leading to a Denial of Service. This implies a lack of robust input validation and error handling for malformed HTTP requests.
What is the Impact of CVE-2024-26280?
Successful exploitation may allow attackers to cause a Denial of Service (DoS), leading to significant application downtime, service unavailability, and interruption of normal operations.
What is the Exploitability of CVE-2024-26280?
Exploitation is straightforward and can be achieved by any remote, unauthenticated attacker. The attacker merely needs to send a crafted HTTP request to the vulnerable server, specifically including null bytes in the URL path (e.g., http://host/%00). No specific authentication or privilege is required. The complexity is very low as it's a direct, unauthenticated attack against an accessible endpoint. The primary constraint is that the server must be using the vulnerable node-static package and be publicly exposed. The risk factor for exploitation is high due to its simplicity and the potential for widespread disruption.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-26280?
Available Upgrade Options
- apache-airflow
- <2.8.2 → Upgrade to 2.8.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/airflow/pull/37501
- https://github.com/apache/airflow/commit/8324c87e05741e5a673c43b315619a3788bacc2e
- http://www.openwall.com/lists/oss-security/2024/03/01/1
- https://github.com/apache/airflow
- https://github.com/apache/airflow/commit/f4b9cc74976b7df1acbc3c63471b5751b3e2c40c
- https://github.com/apache/airflow/pull/37501
- https://github.com/apache/airflow/commit/f2ea8a3e1753012bfe0d529c9c8be66cf55ca28f
- https://nvd.nist.gov/vuln/detail/CVE-2024-26280
- https://osv.dev/vulnerability/PYSEC-2024-42
- https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh
What are Similar Vulnerabilities to CVE-2024-26280?
Similar Vulnerabilities: CVE-2025-11149 , CVE-2023-45136 , CVE-2023-40182 , CVE-2022-26134 , CVE-2022-23067
