Overview
- Description
- An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
- Source
- support@hackerone.com
- NVD status
- Awaiting Analysis
Risk scores
CVSS 3.0
- Type
- Secondary
- Base score
- 8.2
- Impact score
- 4.2
- Exploitability score
- 3.9
- Vector string
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
- Severity
- HIGH
Social media
- Hype score
- Not currently trending
#exploit 1. CVE-2024-44133: Privacy Controls Bypasses in Safari (+ "HM-Surf" evaluator) https://t.co/hmtWNvAm0T 2. CVE-2024-27983: HTTP2 Node.js server DoS https://t.co/tbe7oV3vkJ
@ksg93rd
Oct 20, 2024 6:34 PM
173 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
#exploit #CyberSecurity 1. CVE-2024-44133: Privacy Controls Bypasses in Safari (+ "HM-Surf" evaluator) https://t.co/mIejpGFopB 2. CVE-2024-27983: HTTP2 Node.js server DoS https://t.co/032awWZQg1
@ShaiiikShoaiiib
Oct 20, 2024 6:05 PM
44 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes