CVE-2024-27983: 
npm vulnerability analysis and mitigation

CVE-2024-27983 is a high-severity vulnerability affecting Node.js HTTP/2 server implementations in versions 18.x, 20.x, and 21.x. The vulnerability was discovered and disclosed in April 2024. The issue allows an attacker to make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with HTTP/2 CONTINUATION frames (Node.js Blog).

The vulnerability occurs when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client, triggering the Http2Session destructor while header frames are still being processed and stored in memory. This creates a race condition that can leave data in nghttp2 memory after reset. The vulnerability has been assigned a CVSS v3.0 base score of 8.2 (HIGH) with vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H (HackerOne).

Successful exploitation of this vulnerability can lead to a complete denial of service (DoS) of the Node.js HTTP/2 server. The attack requires only a small amount of HTTP/2 frames to be effective, making it particularly dangerous. The vulnerability affects the availability of the server and can potentially lead to addition or modification of data (CERT Advisory).

The vulnerability has been patched in Node.js versions 20.12.1 and later. The fix ensures to close the stream when destroying the session. Organizations using affected versions should upgrade to the patched versions immediately. The fix was contributed by Anna Henningsen (Node.js Blog).