Lucene search
BartH1:2453328HistoryApr 08, 2024 - 8:41 p.m.
Internet Bug Bounty: Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash
2024-04-0820:41:07
bart
hackerone.com
$3645
20
node.js
http/2
server crash
bug bounty
vulnerability
security release
hackerone report
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
- Advisory: https://nodejs.org/en/blog/vulnerability/april-2024-security-releases
- HackerOne report: 2319584
Impact
Server crashes instantly after sending a few HTTP/2 frames.
Related
veracode
veracode
Denial Of Service (DoS)
2024-04-11 02:04:36
f5
f5
K000139532 : Node.js vulnerability CVE-2024-27983
2024-05-07 00:00:00
cvelist
cvelist
CVE-2024-27983
2024-04-09 01:06:43
debiancve
debiancve
CVE-2024-27983
2024-04-09 01:15:49
ubuntucve
ubuntucve
CVE-2024-27983
2024-04-09 00:00:00
cbl_mariner
cbl_mariner
CVE-2024-27983 affecting package nodejs18 for versions less than 18.18.2-7
2024-04-30 01:31:53
redhatcve
redhatcve
CVE-2024-27983
2024-04-03 19:27:23
cve
cve
CVE-2024-27983
2024-04-09 01:15:49
hackerone
hackerone
githubexploit
githubexploit
Exploit for CVE-2024-27983
2024-04-14 11:34:52
nessus
nessus
F5 Networks BIG-IP : Node.js vulnerability (K000139532)
2024-05-07 00:00:00
RHEL 7 : rh-nodejs14 (RHSA-2024:3472)
2024-05-29 00:00:00
RHEL 9 : nodejs (RHSA-2024:2937)
2024-05-21 00:00:00
alpinelinux
alpinelinux
CVE-2024-27983
2024-04-09 01:15:49
redhat
redhat
(RHSA-2024:3472) Important: rh-nodejs14 security update
2024-05-29 15:31:29
(RHSA-2024:2937) Important: nodejs security update
2024-05-21 04:57:15
(RHSA-2024:2853) Important: nodejs:20 security update
2024-05-15 10:54:45
osv
osv
CVE-2024-27983
2024-04-09 01:15:49
Important: nodejs:18 security update
2024-05-09 18:51:51
Important: nodejs:18 security update
2024-05-09 00:00:00
redos
redos
ROS-20240425-03
2024-04-25 00:00:00
openvas
openvas
openSUSE: Security Advisory for nodejs16 (SUSE-SU-2024:1306-1)
2024-04-17 00:00:00
Mageia: Security Advisory (MGASA-2024-0110)
2024-04-09 00:00:00
SUSE: Security Advisory (SUSE-SU-2024:1308-1)
2024-05-07 00:00:00
ibm
ibm
fedora
fedora
[SECURITY] Fedora 40 Update: nodejs20-20.12.2-1.fc40
2024-04-19 21:44:22
[SECURITY] Fedora 39 Update: nodejs20-20.12.2-1.fc39
2024-04-20 01:03:33
mageia
mageia
Updated nodejs packages fix security vulnerabilities
2024-04-05 21:24:25
rocky
rocky
nodejs:18 security update
2024-05-09 18:50:42
nodejs:18 security update
2024-05-09 18:51:51
nodejs:20 security update
2024-05-09 18:50:42
oraclelinux
oraclelinux
nodejs:20 security update
2024-05-09 00:00:00
nodejs security update
2024-05-22 00:00:00
nodejs:18 security update
2024-05-14 00:00:00
almalinux
almalinux
Important: nodejs:18 security update
2024-05-09 00:00:00
Important: nodejs:20 security update
2024-05-15 00:00:00
Important: nodejs security update
2024-05-20 00:00:00
arista
arista
Security Advisory 0094
2024-04-05 00:00:00
thn
thn
New HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks
2024-04-04 11:15:00
cert
cert
HTTP/2 CONTINUATION frames can be utilized for DoS attacks
2024-04-03 00:00:00