CVE-2024-27983

high-risk
Published 2024-04-09

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.

Do I need to act?

!
75.9% chance of exploitation in next 30 days
EPSS score — higher than 24% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.2/10 High
NETWORK / LOW complexity

References (12)

http://www.openwall.com/lists/oss-security/2024/04/03/16
https://hackerone.com/reports/2319584
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...
https://security.netapp.com/advisory/ntap-20240510-0002/
http://www.openwall.com/lists/oss-security/2024/04/03/16
https://hackerone.com/reports/2319584
https://lists.debian.org/debian-lts-announce/2024/09/msg00029.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...
https://security.netapp.com/advisory/ntap-20240510-0002/
https://www.kb.cert.org/vuls/id/421644
53
/ 100
high-risk
Severity 28/34 · Critical
Exploitability 20/34 · Moderate
Exposure 5/34 · Minimal