CVE-2024-27983
CVE-2024-27983 is a high-severity vulnerability with a CVSS 3.x base score of 8.2. Its EPSS exploit-prediction score of 87% places it in the 100th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-362.
Key facts
- Severity: High (CVSS 3.x base score 8.2)
- EPSS exploit prediction: 87% (100th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-25157
- Weakness: CWE-362
- Published:
- Last modified:
Description
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
Frequently asked questions
- What is CVE-2024-27983?
- An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
- How severe is CVE-2024-27983?
- CVE-2024-27983 has a CVSS 3.x base score of 8.2, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability high.
- Is CVE-2024-27983 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 87% (100th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2024-27983?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2024-27983 have an EU (EUVD) identifier?
- Yes. CVE-2024-27983 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-25157.
- When was CVE-2024-27983 published?
- CVE-2024-27983 was published on 2024-04-09 and last updated on 2026-06-17.
References
- http://www.openwall.com/lists/oss-security/2024/04/03/16
- https://hackerone.com/reports/2319584
- https://lists.fedoraproject.org/archives/list/[email protected]/message/JDECX4BYZLMM4S4LALN4DPZ2HUTTPLKE/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/YDVFUH7ACZPYB3BS4SVILNOY7NQU73VW/
- https://security.netapp.com/advisory/ntap-20240510-0002/
- https://lists.debian.org/debian-lts-announce/2024/09/msg00029.html
- https://www.kb.cert.org/vuls/id/421644
Other CWE-362 (Race Condition) vulnerabilities
- CVE-2022-27626 — Critical (CVSS 10.0): A vulnerability regarding concurrent execution using shared resource with improper synchronization ('Race Condition')…
- CVE-2015-8556 — Critical (CVSS 10.0): Local privilege escalation vulnerability in the Gentoo QEMU package before 2.5.0-r1.
- CVE-2014-0703 — Critical (CVSS 10.0): Cisco Wireless LAN Controller (WLC) devices 7.4 before 7.4.110.0 distribute Aironet IOS software with a race condition…
- CVE-2010-1228 — Critical (CVSS 10.0): Multiple race conditions in the sandbox infrastructure in Google Chrome before 4.1.249.1036 have unspecified impact and…
- CVE-2008-6598 — Critical (CVSS 10.0): Multiple race conditions in WANPIPE before 3.3.6 have unknown impact and attack vectors related to "bri restart logic."
- CVE-2026-46137 — Critical (CVSS 9.8): In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential…