An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "20.16.0+dfsg-1ubuntu1", "binary_name": "libnode-dev" }, { "binary_version": "20.16.0+dfsg-1ubuntu1", "binary_name": "libnode115" }, { "binary_version": "20.16.0+dfsg-1ubuntu1", "binary_name": "libnode115-dbgsym" }, { "binary_version": "20.16.0+dfsg-1ubuntu1", "binary_name": "nodejs" }, { "binary_version": "20.16.0+dfsg-1ubuntu1", "binary_name": "nodejs-dbgsym" }, { "binary_version": "20.16.0+dfsg-1ubuntu1", "binary_name": "nodejs-doc" } ] }