#VU16169 Resource exhaustion in Node.js


Published: 2018-11-29

Vulnerability identifier: #VU16169

Vulnerability risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-12122

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Node.js
Server applications / Web servers

Vendor: Node.js Foundation

Description
The disclosed vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to the socket is destroyed on the next received chunk when headers are not completely received within this period. A remote attacker can send headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time, consume excessive resources and cause the service to crash.

Mitigation
The vulnerability has been fixed in the versions 6.15.0, 8.14.0, 10.14.0, 11.3.0.

Vulnerable software versions

Node.js: 6.14.0 - 6.14.4, 6.13.0 - 6.13.1, 6.9.0 - 6.9.5, 6.8.0 - 6.8.1, 6.7.0, 6.6.0, 6.5.0, 6.4.0, 6.3.0 - 6.3.1, 6.0.0, 6.1.0, 6.2.0 - 6.2.2, 8.11.0 - 8.11.4, 8.9.0 - 8.9.4, 8.8.0 - 8.8.1, 8.7.0, 8.6.0, 8.5.0, 8.4.0, 8.3.0, 8.2.0 - 8.2.1, 8.1.0 - 8.1.4, 8.0.0, 8.10.0, 10.8.0, 10.7.0, 10.6.0, 10.9, 10.4.0 - 10.4.1, 10.3.0, 10.2.0 - 10.2.1, 10.1.0, 10.0.0, 11.2.0, 11.1.0, 11.0.0, 10.13.0, 10.12.0, 10.11.0, 10.10.0, 8.13.0, 8.12.0


External links
http://nodejs.org/en/blog/vulnerability/november-2018-security-releases/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability