CVE-2019-5739

State: PUBLISHED · Published: 2019-03-28 · Updated: 2024-08-04 · Assigner: nodejs

Description

Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default.

CWE

CWE-400 — CWE-400: Uncontrolled Resource Consumption / Denial of Service

Affected

Node.js / Node.js — v=All versions prior to 6.17.0 [affected]

CVSS

(none)

References

https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/ x_refsource_MISC
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html vendor-advisory, x_refsource_SUSE
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html vendor-advisory, x_refsource_SUSE
https://security.netapp.com/advisory/ntap-20190502-0008/ x_refsource_CONFIRM
https://security.gentoo.org/glsa/202003-48 vendor-advisory, x_refsource_GENTOO

Source

cvelistV5-main/cves/2019/5xxx/CVE-2019-5739.json