8.2
CVE-2024-27983
- EPSS 61.68%
- Published 09.04.2024 01:15:49
- Last modified 14.03.2025 18:15:27
- Source support@hackerone.com
- Teams watchlist Login
- Open Login
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users. Login
Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)
Vendornodejs
≫
Product
nodejs
Default Statusunknown
Version <=
18.20.0
Version
0
Status
affected
Version <=
20.12.0
Version
0
Status
affected
Version <=
21.7.1
Version
0
Status
affected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 61.68% | 0.983 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| support@hackerone.com | 8.2 | 3.9 | 4.2 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
|
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.