Bug 2272764 (CVE-2024-27983) - CVE-2024-27983 nodejs: CONTINUATION frames DoS [NEEDINFO]
Summary: CVE-2024-27983 nodejs: CONTINUATION frames DoS
Keywords:
Status: NEW
Alias: CVE-2024-27983
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2273043 2273044 2275569 2273045
Blocks: 2268258
TreeView+ depends on / blocked
 
Reported: 2024-04-02 21:49 UTC by Nick Tait
Modified: 2024-04-26 10:09 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in how Node.js implements the HTTP/2 protocol. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated, remote attacker to send packets to vulnerable servers, which could use up compute or memory resources, causing a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:
jstanek: needinfo? (ntait)

Attachments (Terms of Use)

Description Nick Tait 2024-04-02 21:49:25 UTC 
This description was provided in the disclosure from VINCE:

Node.js 18, 20, and 21 are affected by this.

Description: An attacker can make the Node.js HTTP/2 server unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
Comment 4 Nick Tait 2024-04-03 19:19:00 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2273043]


Created nodejs18 tracking bugs for this issue:

Affects: fedora-all [bug 2273044]


Created nodejs20 tracking bugs for this issue:

Affects: fedora-all [bug 2273045]
Note You need to log in before you can comment on or make changes to this bug.