CVE-2019-5737
Severity
7.5HIGH
EPSS
26.4%
top 3.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 28
Latest updateMay 13
Description
In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and …
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages4 packages
🔴Vulnerability Details
3📋Vendor Advisories
4Microsoft▶
In Node.js including 6.x before 6.17.0 8.x before 8.15.1 10.x before 10.15.2 and 11.x before 11.10.1 an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep↗2019-03-12
Debian▶
CVE-2019-5737: nodejs - In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, ...↗2019
💬Community
3Bugzilla▶
CVE-2019-5737 nodejs: Insufficient Slowloris fix causing DoS via server.headersTimeout bypass↗2019-03-20
Bugzilla▶
CVE-2019-5737 nodejs: insufficient Slowloris fix causing DoS via server.headersTimeout bypass [fedora-all]↗2019-03-20
Bugzilla▶
CVE-2019-5737 nodejs: insufficient Slowloris fix causing DoS via server.headersTimeout bypass [epel-7]↗2019-03-20