cve/CVE-2024-27983.md at main

admin/cve

Fork 0

mirror of https://github.com/0xMarcio/cve.git synced 2025-05-05 10:17:57 +00:00

marc 555e9c7de4 Update Sat May 25 21:48:12 CEST 2024

2024-05-25 21:48:12 +02:00

1.2 KiB

Raw Permalink Blame History

CVE-2024-27983

Description

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.

POC

Reference

No PoCs from references.

Github

https://github.com/Ampferl/poc_http2-continuation-flood
https://github.com/DrewskyDev/H2Flood
https://github.com/Vos68/HTTP2-Continuation-Flood-PoC
https://github.com/hex0punk/cont-flood-poc
https://github.com/lirantal/CVE-2024-27983-nodejs-http2
https://github.com/nomi-sec/PoC-in-GitHub

1.2 KiB Raw Permalink Blame History

CVE-2024-27983

Description

POC

Reference

Github

1.2 KiB

Raw Permalink Blame History