Node.js up to 6.16.x/8.15.0/10.15.1/11.10.0 HTTP Connection Header Slowloris resource consumption
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.3 | $0-$5k | 0.00 |
Summary
A vulnerability was found in Node.js up to 6.16.x/8.15.0/10.15.1/11.10.0. It has been rated as problematic. This issue affects some unknown processing of the component HTTP Connection Handler. The manipulation as part of Header leads to resource consumption (Slowloris). This vulnerability is uniquely identified as CVE-2019-5737. The attack is possible to be carried out remotely. No exploit exists. Upgrading the affected component is advised.
Details
A vulnerability was found in Node.js up to 6.16.x/8.15.0/10.15.1/11.10.0 (JavaScript Library). It has been rated as problematic. This issue affects an unknown function of the component HTTP Connection Handler. The manipulation as part of a Header leads to a resource consumption vulnerability (Slowloris). Using CWE to declare the problem leads to CWE-400. The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. Impacted is availability. The summary by CVE is:
An attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly thereby keeping the connection and associated resources alive for a long period of time. Attack potential is mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active release lines including 6, 8, 10 and 11.
The bug was discovered 02/28/2019. The weakness was disclosed 03/28/2019 by Juraj Somorovsky as confirmed advisory (Website). It is possible to read the advisory at nodejs.org. The identification of this vulnerability is CVE-2019-5737 since 01/09/2019. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1499 according to MITRE ATT&CK. The advisory points out:
All actively supported release lines are vulnerable and the severity is LOW. An attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly thereby keeping the connection and associated resources alive for a long period of time. Attack potential is mitigated by the use of a load balancer or other proxy layer.
The vulnerability was handled as a non-public zero-day exploit for at least 28 days. During that time the estimated underground price was around $0-$5k. The vulnerability scanner Nessus provides a plugin with the ID 253266 (Linux Distros Unpatched Vulnerability : CVE-2019-5737), which helps to determine the existence of the flaw in a target environment. The commercial vulnerability scanner Qualys is able to test this issue with plugin 172221 (OpenSUSE Security Update for nodejs4 (openSUSE-SU-2019:1076-1)).
Upgrading to version 6.17.0, 8.15.1, 10.15.2 or 11.10.1 eliminates this vulnerability.
The vulnerability is also documented in the databases at Tenable (253266) and SecurityFocus (BID 107174†). The entries VDB-132588, VDB-133658, VDB-133693 and VDB-133688 are pretty similar. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Product
Type
Name
Version
- 6.0
- 6.1
- 6.2
- 6.3
- 6.4
- 6.5
- 6.6
- 6.7
- 6.8
- 6.9
- 6.10
- 6.11
- 6.12
- 6.13
- 6.14
- 6.15
- 6.16
- 8.0
- 8.1
- 8.2
- 8.3
- 8.4
- 8.5
- 8.6
- 8.7
- 8.8
- 8.9
- 8.10
- 8.11
- 8.12
- 8.13
- 8.14
- 8.15.0
- 10.15.0
- 10.15.1
- 11.0
- 11.1
- 11.2
- 11.3
- 11.4
- 11.5
- 11.6
- 11.7
- 11.8
- 11.9
- 11.10.0
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.4VulDB Meta Temp Score: 6.3
VulDB Base Score: 5.3
VulDB Temp Score: 5.1
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 7.5
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Name: SlowlorisClass: Resource consumption / Slowloris
CWE: CWE-400 / CWE-404
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 253266
Nessus Name: Linux Distros Unpatched Vulnerability : CVE-2019-5737
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Node.js 6.17.0/8.15.1/10.15.2/11.10.1
Timeline
01/09/2019 🔍02/26/2019 🔍
02/28/2019 🔍
03/28/2019 🔍
03/29/2019 🔍
08/24/2025 🔍
Sources
Advisory: RHSA-2019:1821Researcher: Juraj Somorovsky
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2019-5737 (🔍)
GCVE (CVE): GCVE-0-2019-5737
GCVE (VulDB): GCVE-100-132587
SecurityFocus: 107174 - OpenSSL CVE-2019-1559 Information Disclosure Vulnerability
See also: 🔍
Entry
Created: 03/29/2019 07:12Updated: 08/24/2025 07:08
Changes: 03/29/2019 07:12 (66), 05/22/2020 17:08 (5), 08/17/2023 14:55 (4), 08/24/2025 07:08 (17)
Complete: 🔍
Cache ID: 216::103
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.