CVE-2024-27983 : An attacker can make the Node.js HTTP/2 server completely unavailable by sending

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.

Published 2024-04-09 01:15:49

Updated 2025-03-14 18:15:28

Source HackerOne

View at NVD, CVE.org

Products affected by CVE-2024-27983

Please log in to view affected product information.

Exploit prediction scoring system (EPSS) score for CVE-2024-27983

EPSS FAQ

68.65%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 99 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-27983

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
8.2	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H	3.9	4.2	HackerOne	2024-04-09
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: High
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	N/A	N/A	RedHat-CVE-2024-27983	2024-04-03
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2024-27983

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

References for CVE-2024-27983

http://www.openwall.com/lists/oss-security/2024/04/03/16

oss-security - CERT/CC VU#421644: HTTP/2 CONTINUATION frames can be utilized for DoS attacks

CVEs referencing this url
https://hackerone.com/reports/2319584

Node.js | Report #2319584 - "Assertion failed" in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash | HackerOne
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YDVFUH7ACZPYB3BS4SVILNOY7NQU73VW/

[SECURITY] Fedora 39 Update: nodejs20-20.12.2-1.fc39 - package-announce - Fedora Mailing-Lists
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDECX4BYZLMM4S4LALN4DPZ2HUTTPLKE/

[SECURITY] Fedora 40 Update: nodejs20-20.12.2-1.fc40 - package-announce - Fedora Mailing-Lists
https://security.netapp.com/advisory/ntap-20240510-0002/

CVE-2024-27983 Node.js Vulnerability in NetApp Products | NetApp Product Security

Jump to

Vulnerability Details : CVE-2024-27983

Products affected by CVE-2024-27983

Exploit prediction scoring system (EPSS) score for CVE-2024-27983

CVSS scores for CVE-2024-27983

CWE ids for CVE-2024-27983

References for CVE-2024-27983