CVE-2025-23085

CVE-2025-23085 describes a memory leak in Node.js HTTP/2 server handling that can occur when a remote peer closes the socket without GOAWAY, or when nghttp2 terminates a connection due to an invalid header. The resulting leak can increase memory usage and, under certain conditions, enable denial ...

CVE-2025-23085

A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory...

CVE-2025-23085

A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory...

CVE-2025-23085

A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory...

CVE-2025-23085

A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory...

CVE-2021-39204

Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, incorrectly handles resetting of HTTP/2 streams with excessive complexity. This can lead to high CPU utilization when a large number of streams are reset. This can result in a DoS condition. Pomerium versio...

CVE-2025-21549

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware component: Core. The supported version that is affected is 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP/2 to compromise Oracle WebLogic Server. Successful...

SUSE-SU-2025:0058-1 Security update for tomcat

This update for tomcat fixes the following issues: Update to Tomcat 9.0.98 - Fixed CVEs: + CVE-2024-54677: DoS in examples web application bsc1234664 + CVE-2024-50379: RCE due to TOCTOU issue in JSP compilation bsc1234663 + CVE-2024-52317: Request/response mix-up with HTTP/2 bsc1233435 - Catalina...

CVE-2024-32663

Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, a small amount of HTTP/2 traffic can lead to Suricata using a large amount of memory. The issue has been addressed in Suricata 7.0.5 and 6.0.19...

Security Bulletin: Multiple vulnerabilities in Go affect IBM Robotic Process Automation for Cloud Pak

Summary Multiple vulnerabilities in Go affect IBM Robotic Process Automation for Cloud Pak. This bulletin identifies fixes required to resolve the vulnerabilities. Vulnerability Details CVEID:CVE-2023-39325 DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by an uncontrolled...

Security Bulletin: IBM Storage Protect Server is susceptible to vulnerability in Golang Go (CVE-2023-45288).

Summary Golang Go is used by the IBM Storage Protect Server OSSM component. Golang Go is vulnerable to loss of availability of host system. This bulletin identifies the steps to address the vulnerability. Vulnerability Details CVEID:CVE-2023-45288 DESCRIPTION: An attacker may cause an HTTP/2...

Security Bulletin: Vulnerabilities in Node.js, Golang Go, HTTP/2, NGINX, OpenSSH, Linux kernel might affect IBM Spectrum Protect Plus

Summary IBM Spectrum Protect Plus can be affected by vulnerabilities in Node.js, Golang Go, HTTP/2, NGINX, OpenSSH and Linux. Vulnerabilities include, causing a denial-of-service condition, the elevation of privileges, remote execution of arbitrary code, HTTP header injection, HTML injection,...

Security Bulletin: Multiple Vulnerabilities in Golang Affect IBM Cloud Pak System

Summary Vulnerabilities in Golang affect IBM Cloud Pak System. Vulnerability Details CVEID:CVE-2024-24789 DESCRIPTION: The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service, in Golang Go [CVE-2023-45288]

Summary Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service, in Golang Go, caused by a memory exhaustion flaw due to flood of CONTINUATION frames in the HTTP/2 protocol stack in the net/http and x/net/http2 packagesCVE-2023-45288...

Security update for nghttp2

This update for nghttp2 fixes the following issues: CVE-2024-28182: Fixed denial of service via http/2 continuation frames bsc1221399 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch". Alternatively you can run t...

SUSE: Security Advisory (SUSE-SU-2025:0282-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

ISC BIND DoS Vulnerability (CVE-2024-12705) - Windows

ISC BIND is prone to a denial of service DoS vulnerability in the DNS-over-HTTPS implementation. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-onl...

CVE-2024-12705 DNS-over-HTTPS implementation suffers from multiple issues under heavy query load

Clients using DNS-over-HTTPS DoH can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic. This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation Fixes for June 2024.

Summary In addition to OS level package updates, multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 21.0.3-IF034 and 23.0.2-IF006. Vulnerability Details CVEID:CVE-2024-28849 DESCRIPTION: Node.js follow-redirects module could allow a remote authenticated...

SUSE-SU-2025:0283-1 Security update for nginx

This update for nginx fixes the following issues: - CVE-2023-44487: Mitigate HTTP/2 Rapid Reset Attack bsc1216171 - CVE-2024-7347: Fixed worker crashes on special crafted mp4 files containing invalid chunk information bsc1229155...