Published: 09/04/2024 Updated: 01/05/2024

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.

Debian Bug report logs - #1068347 nodejs: CVE-2024-27983 CVE-2024-27982 Package: src:nodejs; Maintainer for src:nodejs is Debian Javascript Maintainers <pkg-javascript-devel@alioth-listsdebiannet>; Reported by: Moritz Mühlenhoff <jmm@inutilorg> Date: Wed, 3 Apr 2024 21:15:05 UTC Severity: grave Tags: security, u ...

An attacker can make the Nodejs HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client trigge ...

oss-sec mailing list archives   By Date By Thread </form>    CERT/CC VU#421644: HTTP/2 CONTINUATION frames can be utilized for DoS attacks  <!--X-Head-of-Messag ...

CVE-2024-27983 this repository builds up a vulnerable HTTP2 Node.js server (`server-nossl.js`) based on CVE-2024-27983 which exploits a continuation flood vulnerability in HTTP2 servers.

This repository builds up a vulnerable HTTP2 Nodejs server (server-nossljs) based on CVE-2024-27983 which exploits a continuation flood vulnerability in HTTP2 servers Notes: serverjs is found not vulnerable due to the use of SSL certificates server-nossljs is vulnerable to the continuation flood attack clientjs is a small client script to test the HTTP2 server exploit

New HTTP/2 DoS attack can crash web servers with a single connection

BleepingComputer • Bill Toulas • 04 Apr 2024

New HTTP/2 DoS attack can crash web servers with a single connection By Bill Toulas April 4, 2024 11:28 AM 0 Newly discovered HTTP/2 protocol vulnerabilities called "CONTINUATION Flood" can lead to denial of service (DoS) attacks, crashing web servers with a single TCP connection in some implementations. HTTP/2 is an update to the HTTP protocol standardized in 2015, designed to improve web performance by introducing binary framing for efficient data transmission, multiplexing to allow multiple r...

CVE-2024-27983

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Mailing Lists

Github Repositories

Recent Articles

References

Vulmon Search

About

Products

Connect