ALT-PU-2024-5094-3

Package update node in branch sisyphus

Version20.12.1-alt1

Published2026-02-04

Max severityHIGH

Severity:

Closed issues (4)

MEDIUM5.3

Уязвимость функции node::http2::Http2Session::~Http2Session() HTTP/2-сервера программной платформы Node.js, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2024-04-06Modified: 2026-03-04

CVSS 3.xMEDIUM 5.3

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P

References

CVE-2024-27983

MEDIUM6.1

Уязвимость программной платформы Node.js, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю отправить скрытый HTTP-запрос (атака типа HTTP Request Smuggling)

Published: 2024-04-22Modified: 2026-03-04

CVSS 3.xMEDIUM 6.1

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS 2.0MEDIUM 6.4

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N

References

CVE-2024-27982

MEDIUM6.5

The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.

Published: 2024-05-07Modified: 2026-04-15

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

References

HIGH8.2

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.

Published: 2024-04-09Modified: 2026-04-15

CVSS 3.xHIGH 8.2

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

References