At a minimum, the following versions of Node.js are affected 18, 20, and 21. Description: An attacker can make the Node.js HTTP/2 server unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
Created nodejs tracking bugs for this issue: Affects: epel-all [bug 2273043] Created nodejs18 tracking bugs for this issue: Affects: fedora-all [bug 2273044] Created nodejs20 tracking bugs for this issue: Affects: fedora-all [bug 2273045]
Created nodejs16 tracking bugs for this issue: Affects: fedora-all [bug 2278048] Created nodejs:16-epel/nodejs tracking bugs for this issue: Affects: epel-all [bug 2278047]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2779 https://access.redhat.com/errata/RHSA-2024:2779
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:2778 https://access.redhat.com/errata/RHSA-2024:2778
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:2780 https://access.redhat.com/errata/RHSA-2024:2780
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2853 https://access.redhat.com/errata/RHSA-2024:2853
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2910 https://access.redhat.com/errata/RHSA-2024:2910
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:2937 https://access.redhat.com/errata/RHSA-2024:2937