AZL-39587

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-39587.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-39587

Upstream

CVE-2024-27983

Published

2024-04-09T01:15:49Z

Modified

2026-04-01T05:13:49.787822Z

Summary

CVE-2024-27983 affecting package nodejs18 for versions less than 18.18.2-7

Details

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-27983

Affected packages

Azure Linux:2 / nodejs18

Package

Name: nodejs18
Purl: pkg:rpm/azure-linux/nodejs18

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

18.18.2-7

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-39587.json"