Resource exhaustion in Node.js - CVE-2018-12122

 

Resource exhaustion in Node.js - CVE-2018-12122

Published: November 29, 2018


Vulnerability identifier: #VU16169
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-12122
CWE-ID: CWE-400
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Node.js Foundation
Affected software:
Node.js

Detailed vulnerability description

The disclosed vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to the socket is destroyed on the next received chunk when headers are not completely received within this period. A remote attacker can send headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time, consume excessive resources and cause the service to crash.


How to mitigate CVE-2018-12122

The vulnerability has been fixed in the versions 6.15.0, 8.14.0, 10.14.0, 11.3.0.

Sources