{"id":"AZL-39587","summary":"CVE-2024-27983 affecting package nodejs18 for versions less than 18.18.2-7","details":"An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.","modified":"2026-04-01T05:13:49.787822Z","published":"2024-04-09T01:15:49Z","upstream":["CVE-2024-27983"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27983"}],"affected":[{"package":{"name":"nodejs18","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/nodejs18"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"18.18.2-7"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-39587.json"}}],"schema_version":"1.7.5"}