CVE-2019-9514

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RSTSTREAM frames from the peer. Depending on how the peer queues the RSTSTREAM frames, this can consume excess memory, CPU, or both.

References

Affected packages

Git / github.com/nodejs/node

Affected ranges

Type: GIT
Repo: https://github.com/nodejs/node
Events: Introduced

f76ce0a75641991bfc235775a4747c978e0e281b

Fixed

5744b466c45d5324c60f122b02681813d4496749

Introduced

ab4af087e83d91a46354d765306d3543b1d85423

Fixed

75657ee41677d56a498e298b01d049aef5bf199f

Introduced

2f45ad8060e13d5ac912335096d21526f2f9602b

Fixed

787378879acfb212ed4ff824bf9f767a24a5cb43

Introduced

f6fc46e03674ab1896792b7363ecac0665b5e0c5

Fixed

eb66efd6052801e2f10360c51787569da0185808

Affected versions

v10.*

v10.13.0

v10.14.0

v10.14.1

v10.14.2

v10.15.0

v10.15.1

v10.15.2

v10.15.3

v10.16.0

v10.16.1

v10.16.2

v12.*

v12.0.0

v12.1.0

v12.2.0

v12.3.0

v12.3.1

v12.4.0

v12.5.0

v12.6.0

v12.7.0

v12.8.0

v8.*

v8.10.0

v8.11.0

v8.11.1

v8.11.2

v8.11.3

v8.11.4

v8.12.0

v8.13.0

v8.14.0

v8.14.1

v8.15.0

v8.15.1

v8.16.0

v8.9.0

v8.9.1

v8.9.2

v8.9.3

v8.9.4

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-9514.json"