nodejs · RafaelGSS · Apr 3, 2024 · Apr 3, 2024
@@ -0,0 +1,12 @@
+{
+    "cve": [
+        "CVE-2024-27983"
+    ],
+    "vulnerable": "18.x || 20.x || 21.x",
+    "patched": "^18.20.1 || ^20.12.1 || ^21.7.2",
+    "ref": "https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/",
+    "overview": "An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.",
+    "affectedEnvironments": [
+        "all"
+    ]
+}
@@ -0,0 +1,12 @@
+{
+    "cve": [
+        "CVE-2024-27982"
+    ],
+    "vulnerable": "18.x || 20.x || 21.x",
+    "patched": "^18.20.1 || ^20.12.1 || ^21.7.2",
+    "ref": "https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/",
+    "overview": "The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.",
+    "affectedEnvironments": [
+        "all"
+    ]
+}