CVE-2024-24806

Summary

CVE-2024-24806 is a vulnerability in the libuv library, affecting multiple products. The vulnerability arises from the truncation of hostnames to 256 characters before calling `getaddrinfo`, which can be exploited by attackers to create addresses like `0x00007f000001`. This could allow them to craft payloads that resolve to unintended IP addresses, bypassing developer checks. The issue stems from how the `hostname_ascii` variable is handled in `uv_getaddrinfo` and subsequently in `uv__idna_toascii`, where hostnames exceeding 256 characters get truncated without a terminating null byte. This vulnerability poses a potential danger to organizations as it could enable attackers to access internal APIs or expose internal services to Server Side Request Forgery (SSRF) attacks. Remediation for this vulnerability involves updating libuv library versions to ones that address this issue. The severity of this vulnerability is rated as HIGH with a base score of 7.3 according to CVE analysis data from [email protected].

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.