Allele Security Alert
Slowloris HTTP Denial of Service with keep-alive
The Node.js Project
All versions of Node.js 6 (LTS “Boron”)
All versions of Node.js 8 (LTS “Carbon”)
All versions of Node.js 10 (LTS “Dubnium”)
All versions of Node.js 11 (Current)
Node.js 11.10.1 (Current)
Node.js 10.15.2 (LTS “Dubnium”)
Node.js 8.15.1 (LTS “Carbon”)
Node.js 6.17.0 (LTS “Boron”)
Proof of concept
All actively supported release lines are vulnerable and the severity is LOW. An attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly thereby keeping the connection and associated resources alive for a long period of time. Attack potential is mitigated by the use of a load balancer or other proxy layer.
This vulnerability is an extension of CVE-2018-12121, addressed in November, 2018. The 40 second timeout and its adjustment by server.headersTimeout apply to this fix as in CVE-2018-12121.
Marco Pracucci and Matteo Collina
February 2019 Security Releases
http: prevent slowloris with keepalive connections
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: March 6, 2019