{"id":"CVE-2024-27983","details":"An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.","aliases":["BIT-node-2024-27983","BIT-node-min-2024-27983"],"modified":"2026-02-10T18:28:48.195940Z","published":"2024-04-09T01:15:49Z","related":["ALSA-2024:2778","ALSA-2024:2779","ALSA-2024:2780","ALSA-2024:2853","ALSA-2024:2910","MGASA-2024-0110","SUSE-SU-2024:1301-1","SUSE-SU-2024:1305-1","SUSE-SU-2024:1306-1","SUSE-SU-2024:1307-1","SUSE-SU-2024:1308-1","SUSE-SU-2024:1309-1","SUSE-SU-2024:1346-1","SUSE-SU-2024:1355-1","openSUSE-SU-2024:13851-1","openSUSE-SU-2024:13852-1"],"references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20240510-0002/"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/04/03/16"},{"type":"WEB","url":"https://hackerone.com/reports/2319584"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDECX4BYZLMM4S4LALN4DPZ2HUTTPLKE/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YDVFUH7ACZPYB3BS4SVILNOY7NQU73VW/"}],"schema_version":"1.7.3"}