In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1.
The product does not properly control the allocation and maintenance of a limited resource.
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
| Link | Tags |
|---|---|
| https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/ | third party advisory |
| http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html | vendor advisory mailing list third party advisory |
| http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html | vendor advisory mailing list third party advisory |
| http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00059.html | vendor advisory mailing list third party advisory |
| https://security.netapp.com/advisory/ntap-20190502-0008/ | third party advisory |
| https://access.redhat.com/errata/RHSA-2019:1821 | third party advisory vendor advisory |
| https://security.gentoo.org/glsa/202003-48 | third party advisory vendor advisory |