Resource Exhaustion Affecting nodejs-docs package, versions <1:10.16.3-2.module+el8.0.0+4214+49953fda


Severity

Recommended
high

Based on CentOS security rating.

Threat Intelligence

EPSS
1.14% (85th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CENTOS8-NODEJSDOCS-1992308
  • published26 Jul 2021
  • disclosed28 Feb 2019

Introduced: 28 Feb 2019

CVE-2019-5737  (opens in a new tab)
CWE-400  (opens in a new tab)

How to fix?

Upgrade Centos:8 nodejs-docs to version 1:10.16.3-2.module+el8.0.0+4214+49953fda or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream nodejs-docs package and not the nodejs-docs package as distributed by Centos. See How to fix? for Centos:8 relevant fixed versions and status.

In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1.

CVSS Scores

version 3.1