Vulnerability Details : CVE-2013-4450
Public exploit exists!
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of service (memory and CPU consumption) by sending a large number of pipelined requests without reading the response.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2013-4450
- cpe:2.3:a:nodejs:nodejs:0.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.8.15:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.8.16:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.8.23:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.8.24:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.10.5:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.10.6:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.10.14:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.10.15:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.8.8:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.8.9:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.8.17:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.8.18:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.8.25:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.10.7:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.10.8:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.10.9:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.10.16:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.10.17:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.8.13:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.8.14:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.8.21:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.8.22:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.10.4:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.10.12:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.10.13:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.10.20:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.8.11:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.8.12:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.8.19:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.8.20:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.10.10:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.10.11:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.10.18:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:nodejs:0.10.19:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-4450
13.29%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 96 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2013-4450
-
Node.js HTTP Pipelining Denial of Service
Disclosure Date: 2013-10-18First seen: 2020-04-26auxiliary/dos/http/nodejs_pipeliningThis module exploits a Denial of Service (DoS) condition in the HTTP parser of Node.js versions released before 0.10.21 and 0.8.26. The attack sends many pipelined HTTP requests on a single connection, which causes unbounded memory allocation when the client does not
CVSS scores for CVE-2013-4450
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2013-4450
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-4450
-
http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/
Node v0.10.21 (Stable) | Node.jsPatch
-
https://github.com/rapid7/metasploit-framework/pull/2548
Add exploit for Node.js HTTP Pipelining DoS by titanous · Pull Request #2548 · rapid7/metasploit-framework · GitHubExploit
-
http://lists.opensuse.org/opensuse-updates/2013-12/msg00051.html
openSUSE-SU-2013:1863-1: moderate: update for nodejs
-
https://github.com/joyent/node/issues/6214
[DoS security vulnerability. Original title redacted] · Issue #6214 · nodejs/node-v0.x-archive · GitHub
-
http://blog.nodejs.org/2013/10/18/node-v0-8-26-maintenance/
Node v0.8.26 (Maintenance) | Node.jsPatch
-
https://groups.google.com/forum/#!topic/nodejs/NEbweYB0ei0
Node v0.10.21 (Stable) - Google Groepen
-
http://www.securityfocus.com/bid/63229
Node.js CVE-2013-4450 Denial of Service Vulnerability
-
https://kb.juniper.net/JSA10783
Juniper Networks - 2017-04 Security Bulletin: Multiple Vulnerabilities in NorthStar Controller Application before version 2.1.0 Service Pack 1.
-
http://www.openwall.com/lists/oss-security/2013/10/20/1
oss-security - Re: CVE Request: Node.js HTTP Pipelining DoS
-
http://rhn.redhat.com/errata/RHSA-2013-1842.html
RHSA-2013:1842 - Security Advisory - Red Hat Customer Portal
Jump to