CVE-2024-27983

HIGH

Node.js < 18.20.1, 19.x, < 20.12.1, < 21.7.2 - Denial of Service via HTTP/2 Frame Handling Race Condition

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-27983. PoCs published by lirantal.

AI-analyzed exploit summary This repository contains a working proof-of-concept exploit for CVE-2024-27983, demonstrating a continuation flood vulnerability in HTTP/2 servers. The exploit targets Node.js HTTP/2 servers without SSL, causing denial-of-service by overwhelming the server with malformed continuation frames.

Description

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.

Exploits (1)

nomisec WORKING POC 7 stars

by lirantal · poc

https://github.com/lirantal/CVE-2024-27983-nodejs-http2

View Code ZIP pw:eip

This repository contains a working proof-of-concept exploit for CVE-2024-27983, demonstrating a continuation flood vulnerability in HTTP/2 servers. The exploit targets Node.js HTTP/2 servers without SSL, causing denial-of-service by overwhelming the server with malformed continuation frames.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: Node.js HTTP/2 servers (without SSL)

No auth needed

Prerequisites: Network access to the target HTTP/2 server · Target server must be running HTTP/2 without SSL

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2024/09/msg00029.html

Third Party Advisory

https://hackerone.com/reports/2319584

Third Party Advisory, US Government Resource

https://www.kb.cert.org/vuls/id/421644

Vendor Advisory

https://security.netapp.com/advisory/ntap-20240510-0002/

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/JDECX4BYZLMM4S4LALN4DPZ2HUTTPLKE/

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/YDVFUH7ACZPYB3BS4SVILNOY7NQU73VW/

Mailing List

http://www.openwall.com/lists/oss-security/2024/04/03/16

Scores

CVSS v3 8.2

EPSS 0.8721

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-362

Status published

Products (18)

NodeJS/Node 10.0 - 10.*

NodeJS/Node 11.0 - 11.*

NodeJS/Node 12.0 - 12.*

NodeJS/Node 13.0 - 13.*

NodeJS/Node 14.0 - 14.*

NodeJS/Node 15.0 - 15.*

NodeJS/Node 16.0 - 16.*

NodeJS/Node 17.0 - 17.*

NodeJS/Node 18.0 - 18.20.1

NodeJS/Node 19.0 - 19.*

... and 8 more

Published Apr 09, 2024

Tracked Since Feb 18, 2026