An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
Metrics
Affected Vendors & Products
References
History
Fri, 14 Mar 2025 18:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | CWE-362 |
Fri, 14 Feb 2025 08:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Nodejs
Nodejs nodejs |
|
CPEs | cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:* | |
Vendors & Products |
Nodejs
Nodejs nodejs |
|
Metrics |
ssvc
|

Status: PUBLISHED
Assigner: hackerone
Published:
Updated: 2025-03-14T18:08:27.458Z
Reserved: 2024-02-29T01:04:06.641Z
Link: CVE-2024-27983

Updated: 2024-08-02T00:41:55.943Z

Status : Awaiting Analysis
Published: 2024-04-09T01:15:49.197
Modified: 2025-03-14T18:15:27.830
Link: CVE-2024-27983
