Denial of Service Vulnerability in Node.js from Multiple Versions
CVE-2018-12122

7.5HIGH

Key Information:

Vendor

The Node.js Project

Status
Node.js
Vendor
CVE Published:
28 November 2018

What is CVE-2018-12122?

The vulnerability in Node.js allows attackers to perform a Slowloris HTTP Denial of Service attack by slowly sending headers to the affected Node.js versions. This technique keeps HTTP or HTTPS connections active, consuming server resources for an extended period and potentially disrupting service availability. Immediate updates to Node.js versions 6.15.0, 8.14.0, 10.14.0, or 11.3.0 and above are essential to mitigate this vulnerability.

Affected Version(s)

Node.js All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0

References

https://nodejs.org/en/blog/vulnerability/november-2018-se...
x_refsource_CONFIRM
http://www.securityfocus.com/bid/106043
vdb-entryx_refsource_BID
https://access.redhat.com/errata/RHSA-2019:1821
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.