PT-2018-11028 · Node.Js+4 · Node.Js+4

Trevor Norris

·

Published

2018-11-27

·

Updated

2026-05-18

·

CVE-2018-12121

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions Node.js versions prior to 6.15.0 Node.js versions prior to 8.14.0 Node.js versions prior to 10.14.0 Node.js versions prior to 11.3.0
Description The issue allows for a Denial of Service with large HTTP headers. By using a combination of many requests with maximum sized headers, and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. The attack potential is mitigated by the use of a load balancer or other proxy layer.
Recommendations For versions prior to 6.15.0, update to version 6.15.0 or later. For versions prior to 8.14.0, update to version 8.14.0 or later. For versions prior to 10.14.0, update to version 10.14.0 or later. For versions prior to 11.3.0, update to version 11.3.0 or later.

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

ALT-PU-2018-2749
CESA-2019_2258
CESA-2019_3497
CLEANSTART-2026-BD71263
CLEANSTART-2026-IS74202
CLEANSTART-2026-JR35772
CLEANSTART-2026-JY06700
CLEANSTART-2026-KN34553
CLEANSTART-2026-KZ45320
CLEANSTART-2026-LJ44720
CLEANSTART-2026-LN12820
CLEANSTART-2026-TX00223
CLEANSTART-2026-WI75198
CVE-2018-12121
MGASA-2019-0277
OPENSUSE-SU-2019:0089-1
OPENSUSE-SU-2019_0088-1
OPENSUSE-SU-2019_0089-1
OPENSUSE-SU-2019_0234-1
RHSA-2019:1821
RHSA-2019:2258
RHSA-2019:2939
RHSA-2019:3497
RHSA-2019_2258
RHSA-2019_3497
SUSE-SU-2019:0117-1
SUSE-SU-2019:0118-1
SUSE-SU-2019:0395-1
SUSE-SU-2019:14246-1
SUSE-SU-2019_14246-1

Affected Products

Alt Linux
Centos
Node.Js
Red Hat
Suse