CVE-2019-5737 in Node.js
Summary
by MITRE
An attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly thereby keeping the connection and associated resources alive for a long period of time. Attack potential is mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active release lines including 6, 8, 10 and 11.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/24/2025
This vulnerability represents a sophisticated denial of service attack vector that exploits the HTTP keep-alive connection mechanism to exhaust system resources through deliberately slow data transmission. The flaw occurs when an attacker establishes an HTTP or HTTPS connection in keep-alive mode and then sends headers at an extremely slow pace, maintaining the connection for extended periods without actually transferring meaningful data. This technique effectively ties up server resources including memory, file descriptors, and connection handles that would otherwise be available for legitimate requests. The vulnerability affects multiple active release lines including versions 6, 8, 10, and 11, indicating a widespread impact across the software's lifecycle. The attack pattern specifically targets the HTTP protocol's connection management behavior, where the server maintains state for each active connection even when no actual data is being transmitted, creating a resource exhaustion scenario. This vulnerability is classified under CWE-400 as an Uncontrolled Resource Consumption vulnerability, which falls under the broader category of resource exhaustion attacks that have been documented in various security frameworks. The attack methodology aligns with techniques described in the MITRE ATT&CK framework under the T1499.004 sub-technique for Network Denial of Service, where adversaries leverage protocol weaknesses to consume network resources. The impact is particularly severe because it can be executed with minimal bandwidth requirements, making it difficult to detect and mitigate through traditional network monitoring approaches. The vulnerability represents an extension of CVE-2018-12121, which suggests a pattern of protocol-level resource management issues that require comprehensive architectural fixes rather than simple patches.
The technical implementation of this attack relies on the HTTP keep-alive feature that allows multiple requests to be sent over a single connection to improve performance. However, the malicious behavior exploits this feature by maintaining connections indefinitely while sending data at rates that are below typical network thresholds. This creates a situation where the server maintains connection state information for each slow connection, preventing these resources from being recycled for legitimate requests. The attack can be executed from a single client connection but can be amplified by establishing multiple such connections simultaneously, creating a cascading effect that can overwhelm server capacity. The vulnerability is particularly insidious because it does not require high bandwidth or complex payloads, making it accessible to attackers with minimal resources. The slow loris attack pattern, which this vulnerability exploits, was first documented in 2009 and has since been adapted to various protocols and applications. The attack's effectiveness is amplified by the fact that many servers have default connection timeouts that are set to relatively long durations, providing ample time for attackers to establish and maintain resource-consuming connections.
The operational impact of this vulnerability extends beyond simple service disruption to include significant performance degradation and potential system instability. When multiple slow connections are maintained simultaneously, the server's ability to handle legitimate requests deteriorates rapidly as available resources become consumed. The attack can be particularly damaging in environments where connection limits are not properly configured or where the server architecture does not adequately protect against resource exhaustion attacks. Applications that rely heavily on connection pooling or have limited connection handling capacity are particularly vulnerable to this type of attack. The vulnerability's impact is further amplified in cloud environments or load-balanced architectures where the attack can be distributed across multiple servers, making it more difficult to isolate and mitigate. Organizations may experience cascading failures where the initial resource exhaustion leads to other system components becoming unavailable due to resource constraints. The attack can also mask other legitimate traffic patterns, making it difficult for administrators to distinguish between normal traffic and malicious activity through standard monitoring tools.
Mitigation strategies for this vulnerability must address both the immediate attack vector and the underlying architectural weaknesses that enable the exploit. The most effective immediate mitigation involves implementing connection timeout configurations that are significantly shorter than the default values, particularly for keep-alive connections. Load balancers and proxy layers can provide additional protection by implementing rate limiting and connection tracking mechanisms that detect and terminate slow connection patterns. Network-level mitigations include implementing connection rate limiting, using intrusion detection systems that can identify slow loris patterns, and configuring firewalls to limit the number of concurrent connections from individual clients. The implementation of proper resource management policies, such as connection pooling limits and maximum connection lifetime settings, can significantly reduce the attack surface. Organizations should also implement monitoring solutions that can detect unusual connection patterns and trigger automated responses when resource exhaustion thresholds are approached. The use of web application firewalls can provide additional protection by filtering out slow connection patterns before they reach the application layer. Long-term solutions involve architectural improvements such as implementing connection state monitoring, automatic connection cleanup mechanisms, and robust resource allocation policies that prevent any single connection from consuming excessive resources. The mitigation approach should also include regular security assessments to identify other potential protocol-level vulnerabilities that could be exploited in similar ways.