CVE-2019-9512

Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Published: Aug 13, 2019
Updated: Nov 8, 2023
CVE: CVE-2019-9512
GHSA: GHSA-hgr8-6h9x-f7q9
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: High
Score: 7.8
AV:N/AC:L/Au:N/C:N/I:N/A:C

CWEs:

CWE-400

Affected Software
References

Software	From	Fixed in
apple / swiftnio	1.0.0	1.4.0.x
apache / traffic_server	8.0.0	8.0.3.x
apache / traffic_server	7.0.0	7.1.6.x
apache / traffic_server	6.0.0	6.2.3.x
debian / debian_linux	10.0	10.0.x
nodejs / node.js	8.0.0	8.8.1.x
nodejs / node.js	10.0.0	10.12.0.x
nodejs / node.js	12.0.0	12.8.1
nodejs / node.js	10.13.0	10.16.3
nodejs / node.js	8.9.0	8.16.1
golang.org/x/net/http	-	0.0.0-20190813141303-74dc4d7220e7
golang.org/x/net	-	0.0.0-20190813141303-74dc4d7220e7

Vulnerability Database

289,599

CVE-2019-9512