CVE-2019-5737
nodejs: Insufficient Slowloris fix causing DoS via server.headersTimeout bypass
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1.
En Node.js, que incluye la versión 6.x en versiones anteriores a la 6.17.0, 8.x en versiones anteriores a la 8.15.1, 10.x en versiones anteriores a la 10.15.2 y 11.x en versiones anteriores a la 11.10.1, un atacante puede provocar una denegación de servicio (DoS) instalando una conexión HTTP o HTTPS en modo keep-alive y enviando encabezados muy lentamente. Esto mantiene la conexión y los recursos asociados activos durante un largo período de tiempo. Los posibles ataques se ven reducido mediante el uso de un equilibrador de carga u otra capa proxy. Esta vulnerabilidad es una extensión de CVE-2018-12121, abordada en noviembre y afecta a todas las líneas de versión activas de Node.js, incluidas 6.x en versiones anteriores a la 6.17.0, 8.x en versiones anteriores a la 8.15.1, 10.x en versiones anteriores a la 10.15.2, y 11.x en versiones anteriores a la 11.10.1.
It was found that the original fix for Slowloris, CVE-2018-12122, was insufficient. It is possible to bypass the server's headersTimeout by sending two specially crafted HTTP requests in the same connection. An attacker could use this flaw to bypass Slowloris protection, resulting in a denial of service.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-01-09 CVE Reserved
- 2019-03-28 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-18 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| https://nodejs.org/en/blog/vulnerability/february-2019-security-releases | Third Party Advisory | |
| https://security.netapp.com/advisory/ntap-20190502-0008 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 6.0.0 < 6.17.0 Search vendor "Nodejs" for product "Node.js" and version " >= 6.0.0 < 6.17.0" | lts |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 8.0.0 < 8.15.1 Search vendor "Nodejs" for product "Node.js" and version " >= 8.0.0 < 8.15.1" | lts |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 10.0.0 < 10.15.2 Search vendor "Nodejs" for product "Node.js" and version " >= 10.0.0 < 10.15.2" | lts |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 11.0.0 < 11.10.1 Search vendor "Nodejs" for product "Node.js" and version " >= 11.0.0 < 11.10.1" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 42.3 Search vendor "Opensuse" for product "Leap" and version "42.3" | - |
Affected
| ||||||