CVE-2019-5739
N/A
N/A
Summary
Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Node.js | Node.js | All versions prior to 6.17.0 | affected |
Weaknesses
- CWE-400: CWE-400: Uncontrolled Resource Consumption / Denial of Service
ADP Enrichment
CVE Program Container
Additional References
- https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
- http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html
- https://security.netapp.com/advisory/ntap-20190502-0008/
- https://security.gentoo.org/glsa/202003-48
References
- https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
- http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html
- https://security.netapp.com/advisory/ntap-20190502-0008/
- https://security.gentoo.org/glsa/202003-48
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.