CVE-2024-27983
Last modified
CVE-2024-27983 is a vulnerability of currently unknown severity. An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.. EPSS estimates a 87.21% chance of exploitation in the next 30 days.
Description
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
Metrics
Weakness Enumeration
References
Timeline
- Published
- Last Modified
- Status
- Deferred
Frequently Asked Questions
What is CVE-2024-27983?
How severe is CVE-2024-27983?
How do I fix CVE-2024-27983?
Are you affected by CVE-2024-27983?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST