CVE-2024-27983

Description

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.

How to fix CVE-2024-27983

To remediate CVE-2024-27983, upgrade the affected package to a fixed version below.

• —upgrade to 18.20.1-r0 or later
• —upgrade to 18.20.1 or later
• —upgrade to 18.20.1 or later
• —upgrade to 12.22.12~dfsg-1~deb11u5 or later

Is CVE-2024-27983 being exploited?

Likely — EPSS is 75.9%, placing CVE-2024-27983 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (4)

• from 0, < 18.20.1-r0
• from 0, < 18.20.1, >= 19.0.0, < 20.12.1, >= 21.0.0, < 21.7.2
• from 0, < 18.20.1, >= 19.0.0, < 20.12.1, >= 21.0.0, < 21.7.2
• from 0, < 12.22.12~dfsg-1~deb11u5

CVSS scores

References (13)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2024-27983
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-27983
• WEBgithub.com/nodejs/node/releases/tag/v18.20.1
• WEBgithub.com/nodejs/node/releases/tag/v20.12.1
• WEB