CVE-2024-27983: An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames...
Description
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
Classification
CVE ID: CVE-2024-27983
CVSS Base Severity: HIGH
CVSS Base Score: 8.2
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Affected Products
Vendor: Node.js
Product: Node
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.05% (probability of being exploited)
EPSS Percentile: 18.39% (scored less or equal to compared to others)
EPSS Date: 2025-03-14 (when was this score calculated)
References
https://hackerone.com/reports/2319584https://lists.fedoraproject.org/archives/list/[email protected]/message/JDECX4BYZLMM4S4LALN4DPZ2HUTTPLKE/
https://lists.fedoraproject.org/archives/list/[email protected]/message/YDVFUH7ACZPYB3BS4SVILNOY7NQU73VW/
http://www.openwall.com/lists/oss-security/2024/04/03/16
https://security.netapp.com/advisory/ntap-20240510-0002/