{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-27983", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2024-02-29T01:04:06.641Z", "datePublished": "2024-04-09T01:06:43.681Z", "dateUpdated": "2025-04-30T22:25:15.944Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition."}], "affected": [{"product": "Node", "vendor": "NodeJS", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "version": "4.0", "status": "affected", "lessThan": "4.*"}, {"versionType": "semver", "version": "5.0", "status": "affected", "lessThan": "5.*"}, {"versionType": "semver", "version": "6.0", "status": "affected", "lessThan": "6.*"}, {"versionType": "semver", "version": "7.0", "status": "affected", "lessThan": "7.*"}, {"versionType": "semver", "version": "8.0", "status": "affected", "lessThan": "8.*"}, {"versionType": "semver", "version": "9.0", "status": "affected", "lessThan": "9.*"}, {"versionType": "semver", "version": "10.0", "status": "affected", "lessThan": "10.*"}, {"versionType": "semver", "version": "11.0", "status": "affected", "lessThan": "11.*"}, {"versionType": "semver", "version": "12.0", "status": "affected", "lessThan": "12.*"}, {"versionType": "semver", "version": "13.0", "status": "affected", "lessThan": "13.*"}, {"versionType": "semver", "version": "14.0", "status": "affected", "lessThan": "14.*"}, {"versionType": "semver", "version": "15.0", "status": "affected", "lessThan": "15.*"}, {"versionType": "semver", "version": "16.0", "status": "affected", "lessThan": "16.*"}, {"versionType": "semver", "version": "17.0", "status": "affected", "lessThan": "17.*"}, {"versionType": "semver", "version": "18.0", "status": "affected", "lessThan": "18.20.1"}, {"versionType": "semver", "version": "19.0", "status": "affected", "lessThan": "19.*"}, {"versionType": "semver", "version": "20.0", "status": "affected", "lessThan": "20.12.1"}, {"versionType": "semver", "version": "21.0", "status": "affected", "lessThan": "21.7.2"}]}], "references": [{"url": "https://hackerone.com/reports/2319584"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDECX4BYZLMM4S4LALN4DPZ2HUTTPLKE/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YDVFUH7ACZPYB3BS4SVILNOY7NQU73VW/"}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/03/16"}, {"url": "https://security.netapp.com/advisory/ntap-20240510-0002/"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "baseScore": 8.2, "baseSeverity": "HIGH"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2025-04-30T22:25:15.944Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:41:55.943Z"}, "title": "CVE Program Container", "references": [{"url": "https://hackerone.com/reports/2319584", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDECX4BYZLMM4S4LALN4DPZ2HUTTPLKE/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YDVFUH7ACZPYB3BS4SVILNOY7NQU73VW/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/03/16", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240510-0002/", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-362", "lang": "en", "description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "affected": [{"vendor": "nodejs", "product": "nodejs", "cpes": ["cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "18.20.0", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThanOrEqual": "20.12.0", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThanOrEqual": "21.7.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-04-09T19:14:56.001352Z", "id": "CVE-2024-27983", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-14T18:08:27.458Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://hackerone.com/reports/2319584", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDECX4BYZLMM4S4LALN4DPZ2HUTTPLKE/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YDVFUH7ACZPYB3BS4SVILNOY7NQU73VW/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/03/16", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240510-0002/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:41:55.943Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-27983", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-09T19:14:56.001352Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:*"], "vendor": "nodejs", "product": "nodejs", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "18.20.0"}, {"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "20.12.0"}, {"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "21.7.1"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-22T20:11:29.949Z"}}], "cna": {"metrics": [{"cvssV3_0": {"version": "3.0", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H"}}], "affected": [{"vendor": "NodeJS", "product": "Node", "versions": [{"status": "affected", "version": "4.0", "lessThan": "4.*", "versionType": "semver"}, {"status": "affected", "version": "5.0", "lessThan": "5.*", "versionType": "semver"}, {"status": "affected", "version": "6.0", "lessThan": "6.*", "versionType": "semver"}, {"status": "affected", "version": "7.0", "lessThan": "7.*", "versionType": "semver"}, {"status": "affected", "version": "8.0", "lessThan": "8.*", "versionType": "semver"}, {"status": "affected", "version": "9.0", "lessThan": "9.*", "versionType": "semver"}, {"status": "affected", "version": "10.0", "lessThan": "10.*", "versionType": "semver"}, {"status": "affected", "version": "11.0", "lessThan": "11.*", "versionType": "semver"}, {"status": "affected", "version": "12.0", "lessThan": "12.*", "versionType": "semver"}, {"status": "affected", "version": "13.0", "lessThan": "13.*", "versionType": "semver"}, {"status": "affected", "version": "14.0", "lessThan": "14.*", "versionType": "semver"}, {"status": "affected", "version": "15.0", "lessThan": "15.*", "versionType": "semver"}, {"status": "affected", "version": "16.0", "lessThan": "16.*", "versionType": "semver"}, {"status": "affected", "version": "17.0", "lessThan": "17.*", "versionType": "semver"}, {"status": "affected", "version": "18.0", "lessThan": "18.20.1", "versionType": "semver"}, {"status": "affected", "version": "19.0", "lessThan": "19.*", "versionType": "semver"}, {"status": "affected", "version": "20.0", "lessThan": "20.12.1", "versionType": "semver"}, {"status": "affected", "version": "21.0", "lessThan": "21.7.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://hackerone.com/reports/2319584"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDECX4BYZLMM4S4LALN4DPZ2HUTTPLKE/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YDVFUH7ACZPYB3BS4SVILNOY7NQU73VW/"}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/03/16"}, {"url": "https://security.netapp.com/advisory/ntap-20240510-0002/"}], "descriptions": [{"lang": "en", "value": "An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2025-04-30T22:25:15.944Z"}}}, "cveMetadata": {"cveId": "CVE-2024-27983", "state": "PUBLISHED", "dateUpdated": "2025-04-30T22:25:15.944Z", "dateReserved": "2024-02-29T01:04:06.641Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2024-04-09T01:06:43.681Z", "assignerShortName": "hackerone"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition."}, {"lang": "es", "value": "Un atacante puede hacer que el servidor HTTP/2 de Node.js no est\u00e9 completamente disponible enviando una peque\u00f1a cantidad de paquetes de tramas HTTP/2 con algunas tramas HTTP/2 en su interior. Es posible dejar algunos datos en la memoria nghttp2 despu\u00e9s del reinicio cuando los encabezados con el frame de CONTINUATION HTTP/2 se env\u00edan al servidor y luego el cliente cierra abruptamente una conexi\u00f3n TCP activando el destructor Http2Session mientras los frames de encabezado a\u00fan se est\u00e1n procesando (y almacenando en la memoria) causando una condici\u00f3n de ejecuci\u00f3n."}], "id": "CVE-2024-27983", "lastModified": "2025-03-14T18:15:27.830", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2024-04-09T01:15:49.197", "references": [{"source": "support@hackerone.com", "url": "http://www.openwall.com/lists/oss-security/2024/04/03/16"}, {"source": "support@hackerone.com", "url": "https://hackerone.com/reports/2319584"}, {"source": "support@hackerone.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDECX4BYZLMM4S4LALN4DPZ2HUTTPLKE/"}, {"source": "support@hackerone.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YDVFUH7ACZPYB3BS4SVILNOY7NQU73VW/"}, {"source": "support@hackerone.com", "url": "https://security.netapp.com/advisory/ntap-20240510-0002/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/04/03/16"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://hackerone.com/reports/2319584"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDECX4BYZLMM4S4LALN4DPZ2HUTTPLKE/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YDVFUH7ACZPYB3BS4SVILNOY7NQU73VW/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240510-0002/"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Bartek Nowotarski (nowotarski.info) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2024:2778", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:20-8090020240422150739.a75119d5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-09T00:00:00Z"}, {"advisory": "RHSA-2024:2780", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:18-8090020240429131734.a75119d5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-09T00:00:00Z"}, {"advisory": "RHSA-2024:3553", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "nodejs:16-8060020240515105144.ad008a3a", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3553", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "nodejs:16-8060020240515105144.ad008a3a", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3553", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "nodejs:16-8060020240515105144.ad008a3a", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:4353", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "nodejs:16-8080020240510090838.63b34585", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4824", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "nodejs:18-8080020240621122004.63b34585", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-07-24T00:00:00Z"}, {"advisory": "RHSA-2024:2779", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "nodejs:18-9040020240422140329.rhel9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-05-09T00:00:00Z"}, {"advisory": "RHSA-2024:2853", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "nodejs:20-9040020240419140200.rhel9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-05-15T00:00:00Z"}, {"advisory": "RHSA-2024:2910", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "nodejs-1:16.20.2-8.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-05-20T00:00:00Z"}, {"advisory": "RHSA-2024:3545", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "nodejs-1:16.20.2-6.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:2937", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "nodejs-1:16.20.2-5.el9_2.3", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-05-21T00:00:00Z"}, {"advisory": "RHSA-2024:3544", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "nodejs:18-9020020240516091141.rhel9", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3472", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs14-nodejs-0:14.21.3-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2024-05-29T00:00:00Z"}], "bugzilla": {"description": "nodejs: CONTINUATION frames DoS", "id": "2272764", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272764"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.", "A vulnerability was found in how Node.js implements the HTTP/2 protocol. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated, remote attacker to send packets to vulnerable servers, which could use up compute or memory resources, causing a denial of service."], "mitigation": {"lang": "en:us", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."}, "name": "CVE-2024-27983", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "nodejs:16/nodejs", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2024-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-27983\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-27983\nhttps://nodejs.org/en/blog/vulnerability/april-2024-security-releases\nhttps://nowotarski.info/http2-continuation-flood/\nhttps://www.kb.cert.org/vuls/id/421644"], "statement": "Red Hat rates the security impact of this vulnerability as Important due to the worst-case scenario resulting in a denial of service, in alignment with the upstream Node.js project. It is simple to exploit, could significantly impact availability, and there is no reasonable mitigation. Once an attack has ended, the system should return to normal operations on its own.", "threat_severity": "Important"}