CVE-2024-24806

Name of the Vulnerable Software and Affected Versions libuv versions prior to 1.48.0

Description The issue arises due to the handling of the hostname ascii variable in the uv getaddrinfo function, which truncates hostnames to 256 characters before calling getaddrinfo. This behavior can be exploited to create addresses that are considered valid by getaddrinfo, allowing an attacker to craft payloads that resolve to unintended IP addresses and bypass developer checks. The vulnerability may enable attackers to access internal APIs or expose internal services to Server-Side Request Forgery (SSRF) attacks.

Recommendations For versions prior to 1.48.0, upgrade to version 1.48.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the uv getaddrinfo function until a patch is available. Avoid using hostnames that exceed 256 characters in the affected API endpoints until the issue is resolved.