CVE-2017-14919

HIGH

Node.js <4.8.5,6.x<6.11.5,8.x<8.8.0 - DoS

Title source: llm

Description

Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter.

References (5)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/101881

[Vendor Advisory] https://nodejs.org/en/blog/release/v4.8.5/

[Vendor Advisory] https://nodejs.org/en/blog/release/v6.11.5/

[Vendor Advisory] https://nodejs.org/en/blog/release/v8.8.0/

[Vendor Advisory] https://nodejs.org/en/blog/vulnerability/oct-2017-dos/

Scores

CVSS v3 7.5

EPSS 0.0104

EPSS Percentile 77.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-20

Status draft

Affected Products (23)

nodejs/node.js

... and 8 more

Timeline

Published Oct 30, 2017

Tracked Since Feb 18, 2026