Primary

Context

Node.js Memory Leak Vulnerability in HTTP/2 Server

Vulnerability

Patched

A memory leak vulnerability has been identified in Node.js versions 18.x, 20.x, 22.x, and 23.x, specifically within the HTTP/2 Server implementation. The issue arises when a remote peer abruptly closes the socket without sending a GOAWAY notification, or when an invalid header is detected by nghttp2, leading to connection termination. This flaw can cause increased memory consumption and potentially result in a denial-of-service condition under certain circumstances.

Impact

Exploitation of this vulnerability can lead to a memory leak outside the heap, causing increased memory usage and potential denial-of-service conditions.

Remediation

Users can upgrade to Node.js versions 18.20.6, 20.18.2, 22.13.1, or 23.6.1 to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.7

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.7

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Node.js Memory Leak Vulnerability in HTTP/2 Server

Vulnerability

Impact

Remediation

Affected Products

Node.js

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating