Primary

Context

Node.js HTTP/2 Server Denial-of-Service Vulnerability via Malformed HEADERS Frame

Vulnerability

A denial-of-service vulnerability has been identified in Node.js HTTP/2 server handling. When a malformed HEADERS frame containing oversized, invalid HPACK data is received, it triggers an unhandled error in the TLSSocket, causing the Node.js process to crash. This issue primarily affects applications that do not implement explicit error handlers for secure sockets, leading to a remote denial-of-service condition.

Impact

Exploitation of this vulnerability causes the Node.js process to crash, disrupting the application and potentially leading to resource exhaustion.

Remediation

Users can update to Node.js versions 25.3.0, 24.13.0, or 22.22.0, all of which include the necessary fix. Instructions for downloading these versions are available on the Node.js website.

Added: Jan 20, 2026, 9:27 PM

Updated: Jan 20, 2026, 9:27 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.3

remediation

0.0

relevance

2.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.3

remediation

0.0

relevance

2.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Node.js HTTP/2 Server Denial-of-Service Vulnerability via Malformed HEADERS Frame

Vulnerability

Impact

Remediation

Affected Products

Node.js

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating