HIGH · CVSS 7.5
CVE-2024-27983 — Node.js HTTP/2 DoS via unauthenticated reset-stream flood
An unauthenticated HTTP/2 rapid-reset attack against Node.js could cause 100% CPU on the server with a small number of concurrent connections, effectively DoS'ing every Node.js HTTP/2 endpoint.
Affects
- Node.js 18 < 18.20.0
- Node.js 20 < 20.12.0
- Node.js 21 < 21.7.2
What an attacker does
The attacker opens HTTP/2 streams and immediately cancels them. Before the patch, Node.js continued expensive stream setup work even after cancellation. Sustained attack pins CPU.
How to detect
Same as CVE-2024-27982 — `node --version`.
How to fix
Upgrade Node.js. Additionally: if you front Node with a reverse proxy (nginx, Caddy), enable HTTP/2 rate-limiting there.
How Securie catches it
Securie pairs Node version detection with HTTP/2 endpoint discovery.