CVE-2024-21536

Exploit

EPSS 0.35%
Veröffentlicht 19.10.2024 05:15:13
Zuletzt bearbeitet 01.11.2024 18:03:15
Quelle report@snyk.io
CVE-Watchlists
Login
Unerledigt
Login

Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Chimurai ≫ Http-proxy-middleware Version < 2.0.7

Chimurai ≫ Http-proxy-middleware Version >= 3.0.0 < 3.0.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.35%	0.573

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
report@snyk.io	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a

Third Party Advisory

Exploit

https://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5

Patch

https://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22

Patch

https://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-21536

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-21536

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-21536

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-21536