nghttp2 security update

An update is available for nghttp2. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list libnghttp2 is a library implementing the Hypertext Transfer Protocol version ...

nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination

A flaw was found in nghttp2. Due to missing internal state validation, the library continues to process incoming data even after a session has been terminated. A remote attacker could exploit this by sending a specially crafted HTTP/2 frame, leading to an assertion failure and a denial of service...

Important: nghttp2 security update

libnghttp2 is a library implementing the Hypertext Transfer Protocol version 2 HTTP/2 protocol in C. Security Fixes: nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination CVE-2026-27135 For more details about the security issues, including the impact, a CVSS...

EUVD-2023-43179

Malicious code in bioql PyPI...

EUVD-2023-1524

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2020-9494

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to...

Linux Distros Unpatched Vulnerability : CVE-2024-27983

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is...

AlmaLinux 9 : nodejs:18 (ALSA-2025:1446)

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2025:1446 advisory. undici: Undici Uses Insufficiently Random Values CVE-2025-22150 nodejs: GOAWAY HTTP/2 frames cause memory leak outside heap CVE-2025-23085 Tenable has...

BIT-NODE-MIN-2024-27983

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a T...

Node.js: GOAWAY HTTP/2 frames cause memory leak outside heap

A memory leak could occur when a remote peer abruptly closed the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could have led to increased memory...

[SECURITY] [DLA 3898-1] nghttp2 security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-3898-1 [email protected] https://www.debian.org/lts/security/ Adrian Bunk September 27, 2024 https://wiki.debian.org/LTS -...

AlmaLinux 9 : nodejs:20 (ALSA-2024:2853)

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2024:2853 advisory. c-ares: Out of bounds read in aresreadline CVE-2024-25629 nghttp2: CONTINUATION frames DoS CVE-2024-28182 nodejs: using the fetch function to retrieve...

MGASA-2024-0135 Updated nghttp2 packages fix security vulnerability

nghttp2 library keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. This update fixes the issue. This is the latest release, which will bring some more fixes and...

CVE-2024-3302

There was no limit to the number of HTTP/2 CONTINUATION frames that would be processed. A server could abuse this to create an Out of Memory condition in the browser. This vulnerability affects Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10...

CVE-2024-27983

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a T...

CVE-2024-27983

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a T...

SUSE-SU-2024:1156-1 Security update for nghttp2

This update for nghttp2 fixes the following issues: - CVE-2024-28182: Fixed denial of service via http/2 continuation frames bsc1221399...

SUSE-SU-2024:1121-1 Security update for go1.22

This update for go1.22 fixes the following issues: - CVE-2023-45288: Fixed denial of service via HTTP/2 continuation frames bsc1221400 Other changes: - go minor release upgrade to 1.22.2 bsc1218424...

Node.js: "Assertion failed" in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash

A vulnerability was discovered in the Node.js HTTP/2 stack http2 package. An attacker could send a small amount of TCP packets with HTTP/2 frames, causing the Node.js server to crash due to an assertion failure in the Http2Session destructor. The issue occurred when headers with HTTP/2 CONTINUATI...

Improper Input Validation

trafficserver is vulnerable to Improper Input Validation. The vulnerability occurs in the Apache traffic server with malformed HTTP/2 frames resulting in a Denial of Service...