Description
A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY` frame. This vulnerability affects two supported release lines: **Node.js 22** and **Node.js 24**.
Published: 2026-06-18
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Node.js HTTP/2 server API allows a server to continue accepting data after a GOAWAY frame has been sent, resulting in continued resource consumption and potential exhaustion of system memory or network capacity. The vulnerability is a classic example of an uncontrolled resource consumption flaw (CWE-400), and an attacker could trigger repeated GOAWAY frames and data streams to degrade service availability. No direct code execution or data exfiltration is implied by the description.

Affected Systems

The vulnerability affects the Node.js runtime provided by the private nodejs:node vendor. It is known to affect the 22 and 24 release lines, which include current stable releases targeted at production usage.

Risk and Exploitability

The CVSS score for the flaw is 5.3, indicating moderate severity. Because the EPSS score is not available, the probability of exploitation in the wild remains uncertain, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves a malicious HTTP/2 client sending crafted frames to a Node.js server that has enabled HTTP/2 support. Exploitation requires network access to the target and the victim's server must be configured to use the default HTTP/2 API; no user interaction or privilege escalation is required.

Generated by OpenCVE AI on June 18, 2026 at 21:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Node.js to the latest patched release within the 22.0.x or 24.0.x lines that addresses the HTTP/2 GOAWAY handling flaw
  • Verify that your application uses the official Node.js HTTP/2 module rather than a custom or third‑party implementation that might still be vulnerable
  • If an upgrade is not immediately feasible, consider disabling HTTP/2 for external traffic or applying network‑level rate limiting to mitigate prolonged data acceptance

Generated by OpenCVE AI on June 18, 2026 at 21:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Title Node.js HTTP/2 Server Accepts Data After GOAWAY Frame

Thu, 18 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY` frame. This vulnerability affects two supported release lines: **Node.js 22** and **Node.js 24**.
Weaknesses CWE-400
References
Metrics cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-06-18T18:44:02.018Z

Reserved: 2026-05-26T15:00:06.427Z

Link: CVE-2026-48937

cve-icon Vulnrichment

Updated: 2026-06-18T18:43:57.581Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:30:16Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption