CVE-2018-12121

Description

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer.

How to fix CVE-2018-12121

To remediate CVE-2018-12121, upgrade the affected package to a fixed version below.

—upgrade to 10.14.0-r0 or later
—upgrade to 10.15.0~dfsg-6 or later

Is CVE-2018-12121 being exploited?

Moderate — EPSS is 5.6%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 10.14.0-r0
from 0, < 10.15.0~dfsg-6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2018-12121
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2018-12121