Listen to this Post
The vulnerability exists in the Node.js adapter for Axios. When handling a `data:` scheme URI, the adapter bypasses the standard HTTP request flow. Instead, it directly decodes the entire Base64 payload from the URI into a single `Buffer` or `Blob` object in memory. This process occurs within the `fromDataURI` helper function. Crucially, this path does not honor the `maxContentLength` or `maxBodyLength` configuration options, which are only applied to actual HTTP response streams. An attacker can craft a `data:` URI containing an extremely large Base64 string. When this URI is requested by Axios, the Node.js process will attempt to decode the entire string into memory in one operation, leading to unbounded memory allocation and a Denial of Service (DoS) crash.
Platform: Node.js
Version: Axios <=1.7.4
Vulnerability: Unbounded Memory Allocation
Severity: Critical
date: 2024-12-19
Prediction: Patch expected 2024-12-23
What Undercode Say:
`curl -X POST “http://localhost:8081/preview” -H “Content-Type: application/json” –data ‘{“url”:”data:application/octet-stream;base64,’$(dd if=/dev/zero bs=1M count=100 | base64 -w0)'”}’`
`node –max-old-space-size=100 poc.js`
`const axios = require(‘axios’); await axios.get(‘data:base64,’ + ‘A’.repeat(160000000));`
How Exploit:
Craft large data URI.
Target Axios GET request.
Trigger memory exhaustion.
Protection from this CVE:
Update Axios.
Implement input validation.
Reject large data URIs.
Impact:
Remote Denial of Service.
Process termination.
High memory consumption.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

