Description
A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client.

This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Published: 2026-06-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Node.js a malicious or compromised server to send an unlimited number of ORIGIN frames. Each frame consumes memory on the client side, which can quickly exhaust available heap space. This exhaustion can trigger an Out of Memory condition that terminates the Node.js process, effectively causing a denial of service. The weakness is a classic resource exhaustion vulnerability (CWE‑400, CWE‑770).

Affected Systems

The issue is present in all currently supported Node.js release lines, specifically Node.js 22, Node.js 24, and Node.js 26. Deployments using any of these versions and making HTTP/2 calls are affected.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score of 0.00505 indicates a very low likelihood of exploitation, and the vulnerability is not present in the CISA KEV catalog, implying no known active exploitation at the time of this analysis. The attack vector is likely from a remote server that an application trusts for HTTP/2 traffic; an attacker who can control such a server can trigger the memory exhaustion and cause the client application to crash.

Generated by OpenCVE AI on June 27, 2026 at 01:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the most recent Node.js release (22.x, 24.x or 26.x) that includes the HTTP/2 client patch.
  • Replace the old Node.js binary with the updated one and restart all services that rely on it to load the patched runtime.
  • After upgrading, monitor application memory usage and network traffic for unexpected spikes or crashes, and consider configuring application‑level heap limits to mitigate residual risk.

Generated by OpenCVE AI on June 27, 2026 at 01:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title Node.js HTTP/2 Client Unlimited ORIGIN Frames Cause Out of Memory nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 26 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
First Time appeared Nodejs
Nodejs nodejs
Vendors & Products Nodejs
Nodejs nodejs

Fri, 26 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
Title Node.js HTTP/2 Client Unlimited ORIGIN Frames Cause Out of Memory

Fri, 26 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Description A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Weaknesses CWE-400
References
Metrics cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Nodejs Nodejs
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-06-26T15:01:43.942Z

Reserved: 2026-05-22T15:00:09.276Z

Link: CVE-2026-48619

cve-icon Vulnrichment

Updated: 2026-06-26T15:01:37.921Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-26T01:14:36Z

Links: CVE-2026-48619 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T02:00:10Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-770

    Allocation of Resources Without Limits or Throttling