CVE-2024-27983

CWE-362Race ConditionCWE-400Uncontrolled Resource Consumption9 documents8 sources
Severity
8.2HIGH
EPSS
75.9%
top 1.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nodejs Node
Timeline
PublishedApr 9
Latest updateJan 15

Description

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:HExploitability: 3.9 | Impact: 4.2

Affected Packages2 packages

CVEListV5nodejs/node4.04.*+17
Debiannodejs< 12.22.12~dfsg-1~deb11u5+3

🔴Vulnerability Details

3
OSV
CVE-2024-27983: An attacker can make the Node2024-04-09
GHSA
GHSA-j65r-8hrg-qc6x: An attacker can make the Node2024-04-09
CVEList
CVE-2024-27983: An attacker can make the Node2024-04-09

📋Vendor Advisories

5
Oracle
Oracle Oracle JD Edwards Risk Matrix: E1 Dev Platform Tech - Cloud (Node.js) — CVE-2024-279832025-01-15
Oracle
Oracle Oracle Java SE Risk Matrix: Node (Node.js) — CVE-2024-279832024-07-15
Microsoft
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 m2024-04-09
Red Hat
nodejs: CONTINUATION frames DoS2024-04-03
Debian
CVE-2024-27983: nodejs - An attacker can make the Node.js HTTP/2 server completely unavailable by sending...2024
CVE-2024-27983 (HIGH CVSS 8.2) | An attacker can make the Node.js HT | cvebase.io