发布时间: 2025年2月8日
修改时间: 2025年3月14日
A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.
| NVD | openEuler | |
|---|---|---|
| Confidentiality | None | |
| Attack Vector | Network | |
| CVSS评分 | N/A | 5.3 |
| Attack Complexity | Low | |
| Privileges Required | None | |
| Scope | Unchanged | |
| Integrity | None | |
| User Interaction | None | |
| Availability | Low |
| 公告名 | 概要 | 发布时间 |
|---|---|---|
| KylinSec-SA-2025-1625 | nodejs security update | 2025年3月18日 |
| KylinSec-SA-2025-1650 | nodejs security update | 2025年3月24日 |
| 产品 | 包 | 状态 |
|---|---|---|
| KY3.4-5A | nodejs | Fixed |
| KY3.5.3 | nodejs | Fixed |
| V6 | nodejs | Fixed |
