Описание
A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions.
This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.
A vulnerability was found in NodeJS when handling HTTP/2 connections, where the remote peer abruptly closes the socket without sending the proper HTTP/2 notification to the server, leading to a memory leak. This flaw allows an attacker to force the targeted process in the targeted host to an uncontrollable resource consumption state, starving the process and possibly other processes running at the same host to memory starvation, leading to a denial of service.
Меры по смягчению последствий
There's no available mitigation for this issue other than updating to the package version which contains the fix.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | nodejs22 | Affected | ||
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2025:1351 | 12.02.2025 |
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2025:1582 | 17.02.2025 |
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2025:1611 | 17.02.2025 |
| Red Hat Enterprise Linux 9 | nodejs | Fixed | RHSA-2025:1443 | 13.02.2025 |
| Red Hat Enterprise Linux 9 | nodejs | Fixed | RHSA-2025:1446 | 13.02.2025 |
| Red Hat Enterprise Linux 9 | nodejs | Fixed | RHSA-2025:1613 | 17.02.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.
A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.
A memory leak could occur when a remote peer abruptly closes the socke ...
A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.
EPSS
5.3 Medium
CVSS3