[3.10] nodejs-current: Slowloris HTTP Denial of Service with keep-alive (CVE-2019-5737)
An attacker can cause a Denial of Service (DoS) by establishing an HTTP
or HTTPS connection in keep-alive mode and by sending headers very
slowly thereby keeping
the connection and associated resources alive for a long period of time. Attack potential is mitigated by the use of a load balancer or other proxy layer.
This vulnerability is an extension of CVE-2018-12121, addressed in
November, 2018. The 40 second timeout and its adjustment
by server.headersTimeout apply to this fix as in CVE-2018-12121.
Severity is LOW.
(from redmine: issue id 10054, created on 2019-03-05)
- parent #10053 (closed)