Denial of Service Vulnerability in Node.js by OpenJS Foundation
CVE-2019-5737

7.5HIGH

Key Information:

Vendor

Node.js

Status
Node.js
Vendor
CVE Published:
28 March 2019

Badges

👾 Exploit Exists🟣 EPSS 38%

What is CVE-2019-5737?

Node.js versions prior to 6.17.0, 8.15.1, 10.15.2, and 11.10.1 are susceptible to a DoS attack. An attacker can exploit this by establishing HTTP or HTTPS connections in keep-alive mode and sending headers at a slow rate. This behavior harbors connections and their resources for an extended period, which can lead to service disruptions. Mitigation strategies include deploying load balancers or proxy layers to manage traffic more effectively. This vulnerability is related to a previous security issue (CVE-2018-12121) and affects all actively maintained Node.js release lines.

Affected Version(s)

Node.js All versions prior to 6.17.0

Node.js All versions prior to 8.15.1

Node.js All versions prior to 10.15.2

References

https://nodejs.org/en/blog/vulnerability/february-2019-se...
x_refsource_MISC
http://lists.opensuse.org/opensuse-security-announce/2019...
vendor-advisoryx_refsource_SUSE
http://lists.opensuse.org/opensuse-security-announce/2019...
vendor-advisoryx_refsource_SUSE

EPSS Score

38% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability Reserved

.