PT-2019-3464 · Apple+9 · Swiftnio+9

Jonathan Looney

·

Published

2019-08-13

·

Updated

2026-05-18

·

CVE-2019-9516

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions nginx (affected versions not specified) Node.js (affected versions not specified) SwiftNIO (affected versions not specified)
Description The issue is related to an uncontrolled resource consumption when receiving a header with a length parameter set to zero in HTTP/2 implementations. This can lead to a denial of service. An attacker can exploit this by sending a stream of headers with 0-length header names and 0-length header values, which can cause excess memory consumption as some implementations allocate memory for these headers and keep it alive until the session ends.
Recommendations For nginx, consider restricting or disabling HTTP/2 support until a patch is available. For Node.js, avoid using HTTP/2 implementations that allocate memory for 0-length headers until a fix is provided. For SwiftNIO, as a temporary workaround, consider disabling the HTTP/2 protocol to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

DoS

Resource Exhaustion

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-770

Related Identifiers

ALSA-2019:2799
ALSA-2019:2925
ALT-PU-2019-2600
ALT-PU-2019-2823
ALT-PU-2019-3050
ALT-PU-2020-2195
BDU:2019-03638
CESA-2019_2799
CESA-2019_2925
CLEANSTART-2026-AF45008
CLEANSTART-2026-BA37192
CLEANSTART-2026-BD71263
CLEANSTART-2026-IS74202
CLEANSTART-2026-JR35772
CLEANSTART-2026-JY06700
CLEANSTART-2026-KN34553
CLEANSTART-2026-KZ45320
CLEANSTART-2026-LJ44720
CLEANSTART-2026-LN12820
CLEANSTART-2026-MQ02912
CLEANSTART-2026-TX00223
CLEANSTART-2026-WI75198
CLEANSTART-2026-XB16901
CLEANSTART-2026-ZN32454
CLEANSTART-2026-ZT77083
CVE-2019-9516
DSA-4505-1
MGASA-2019-0342
MGASA-2020-0372
OPENSUSE-SU-2019:2114-1
OPENSUSE-SU-2019:2115-1
OPENSUSE-SU-2019:2120-1
OPENSUSE-SU-2019:2264-1
OPENSUSE-SU-2019_2114-1
OPENSUSE-SU-2019_2115-1
OPENSUSE-SU-2019_2120-1
OPENSUSE-SU-2019_2264-1
OPENSUSE-SU-2024:11092-1
RHSA-2019:2745
RHSA-2019:2746
RHSA-2019:2775
RHSA-2019:2799
RHSA-2019:2925
RHSA-2019:2939
RHSA-2019:2946
RHSA-2019:2955
RHSA-2019:3932
RHSA-2019:3933
RHSA-2019_2799
RHSA-2019_2925
RLSA-2019:2799
RLSA-2019:2925
SUSE-SU-2019:14246-1
SUSE-SU-2019:2254-1
SUSE-SU-2019:2259-1
SUSE-SU-2019:2260-1
SUSE-SU-2019:2309-1
SUSE-SU-2019:2559-1
SUSE-SU-2019_14246-1
SUSE-SU-2020:0059-1
USN-4099-1

Affected Products

Alt Linux
Almalinux
Centos
Nginx
Node.Js
Red Hat
Rocky Linux
Suse
Swiftnio
Ubuntu