Description
A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.

This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.
Published: 2026-03-30
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Leak leading to Denial of Service
Action: Apply Patch
AI Analysis

Impact

A memory leak in Node.js HTTP/2 servers occurs when the server receives WINDOW_UPDATE frames on stream 0 that increase the flow control window beyond 2³¹-1. The server sends a GOAWAY frame to terminate the connection but does not clean up the Http2Session object. The retained session consumes memory, leading to resource exhaustion and enabling a denial‑of‑service attack. This weakness falls under memory management and resource cleanup failures, aligned with CWE‑401 and CWE‑772.

Affected Systems

The flaw is present in Node.js HTTP/2 implementations running versions 20, 22, 24, and 25. Systems that expose HTTP/2 services and are built on these Node.js releases are vulnerable. No other Node.js versions were listed as affected.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity, reflecting that the attack requires a client that can send crafted HTTP/2 frames. The EPSS score of less than 1% suggests a low likelihood of exploitation in the wild, and the vulnerability is not included in the CISA KEV catalog. Exploitation would involve a remote client sending oversized WINDOW_UPDATE frames over an HTTP/2 connection; because the server spawns an unreleased session, persistent memory use can culminate in service disruption.

Generated by OpenCVE AI on April 1, 2026 at 05:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Node.js to a patched release that eliminates the memory leak.
  • Restart your Node.js HTTP/2 servers to clear any remaining leaked sessions after the upgrade.
  • Monitor server memory usage and network traffic for sudden spikes that could indicate an attempted exploitation.

Generated by OpenCVE AI on April 1, 2026 at 05:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6183-1 nodejs security update
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Node.js HTTP/2 Server Memory Leak due to WINDOW_UPDATE Frames Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames
First Time appeared Nodejs
Nodejs nodejs
Weaknesses CWE-400 CWE-772
Vendors & Products Nodejs
Nodejs nodejs
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Moderate

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Node.js HTTP/2 Server Memory Leak due to WINDOW_UPDATE Frames
Weaknesses CWE-400

Mon, 30 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.
References
Metrics cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Nodejs Nodejs
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-03-31T18:05:22.283Z

Reserved: 2026-01-04T15:00:06.574Z

Link: CVE-2026-21714

cve-icon Vulnrichment

Updated: 2026-03-31T16:15:18.022Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-30T20:16:19.573

Modified: 2026-04-01T14:24:21.833

Link: CVE-2026-21714

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-30T19:07:28Z

Links: CVE-2026-21714 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:54:06Z

Weaknesses