CVE-2019-5737
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2019-5737
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-5737.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2019-5737
- Downstream
- Related
- Published
- 2019-03-28T17:29:01Z
- Modified
- 2025-10-21T05:09:44.528966Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1.
- References
-
- http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00059.html
- https://access.redhat.com/errata/RHSA-2019:1821
- https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
- https://security.gentoo.org/glsa/202003-48
- https://security.netapp.com/advisory/ntap-20190502-0008/
Affected packages
Git / github.com/nodejs/node
Affected versions
v6.*
v6.0.0
v6.1.0
v6.10.0
v6.10.1
v6.10.2
v6.10.3
v6.11.0
v6.11.1
v6.11.2
v6.11.3
v6.11.4
v6.11.5
v6.12.0
v6.12.1
v6.12.2
v6.12.3
v6.13.0
v6.13.1
v6.14.0
v6.14.1
v6.14.2
v6.14.3
v6.14.4
v6.15.0
v6.15.1
v6.16.0
v6.2.0
v6.2.1
v6.2.2
v6.3.0
v6.3.1
v6.4.0
v6.5.0
v6.6.0
v6.7.0
v6.8.0
v6.8.1
v6.9.0
v6.9.1
v6.9.2
v6.9.3
v6.9.4
v6.9.5