CVE-2019-9514
HIGH7.5EPSS 9.3%Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS)
Published: 1/17/2024Modified: 4/28/2026
Description
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
Affected packages (6)
- Alpine/nodejsfrom 0, < 10.16.3-r0
- crates.io/h2>= 0.0.0-0, < 0.3.24, >= 0.4.0-0, < 0.4.2
- Debian/h2ofrom 0, < 2.2.5+dfsg2-3
- Debian/nodejsfrom 0, < 10.16.3~dfsg-1
- Debian/rust-h2from 0
- Debian/trafficserverfrom 0, < 8.0.5+ds-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (5)
- ADVISORYhttps://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
- ADVISORYhttps://rustsec.org/advisories/RUSTSEC-2024-0003.html
- ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2019-9514
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-9514
- PATCHhttps://crates.io/crates/h2