CVE-2020-11080

HIGH7.5EPSS 1.2%

Denial of service in nghttp2

Published: 6/3/2020Modified: 4/28/2026

Description

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.

Affected packages (8)

Alpine/nghttp2from 0, < 1.39.2-r1
Alpine/nodejsfrom 0, < 12.20.1-r0
Bitnami/node>= 10.13.0, < 10.21.0, >= 12.13.0, < 12.18.0, >= 14.0.0, < 14.4.1
Bitnami/node-min>= 10.0.0, < 10.12.1, >= 10.13.0, < 10.21.0, >= 12.0.0, < 12.12.1, >= 12.13.0, < 12.18.0, >= 14.0.0, < 14.4.1
Debian/nghttp2from 0, < 1.36.0-2+deb10u2
Debian/nghttp2from 0, < 1.41.0-1
Debian/nodejsfrom 0, < 10.21.0~dfsg-1~deb10u1
Debian/nodejsfrom 0, < 10.21.0~dfsg-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

Affected packages (8)

CVSS scores

References (17)