CVE-2024-2511: 
Node.js vulnerability analysis and mitigation

CVE-2024-2511 is a vulnerability in OpenSSL affecting TLSv1.3 server configurations that can cause unbounded memory growth. The vulnerability was discovered on February 27, 2024, by Manish Patidar from Hewlett Packard Enterprise and publicly disclosed on April 8, 2024. This issue affects OpenSSL versions 3.2, 3.1, 3.0, and 1.1.1, specifically impacting TLS servers supporting TLSv1.3 (OpenSSL Advisory).

The vulnerability occurs when the non-default SSLOPNOTICKET option is being used (except when earlydata support is configured with default anti-replay protection). Under certain conditions, the session cache can enter an incorrect state and fail to flush properly as it fills, leading to continuous unbounded memory growth. The issue is specifically related to how session objects are handled when marked as not_resumable, causing them to remain in the cache indefinitely. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NetApp Advisory).

When successfully exploited, this vulnerability can lead to a Denial of Service (DoS) condition. A malicious client could deliberately create scenarios that trigger unbounded memory growth, or it may occur accidentally during normal operation. The issue only affects TLS servers supporting TLSv1.3 and does not impact TLS clients (OpenSSL Advisory).

OpenSSL has released fixes for affected versions: OpenSSL 3.2 users should upgrade to 3.2.2, 3.1 users to 3.1.6, 3.0 users to 3.0.14, and 1.1.1 users (premium support only) to 1.1.1y. The fixes are also available in specific commits: e9d7083e (for 3.2), 7e4d731b (for 3.1), and b52867a9 (for 3.0). For premium support customers, the fix is available in commit 5f8d2577 (for 1.1.1) (OpenSSL Advisory).