Fluid Attacks Database

Description

A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a GOAWAY frame. This vulnerability affects two supported release lines: Node.js 22 and Node.js 24.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	nodejs	=12.21.0~dfsg-5 \|\| =12.22.10~dfsg-1 \|\| =12.22.10~dfsg-2 \|\| =12.22.12~dfsg-1~deb11u1 \|\| =12.22.12~dfsg-1~deb11u2 \|\| =12.22.12~dfsg-1~deb11u3 \|\| =12.22.12~dfsg-1~deb11u4 \|\| =12.22.12~dfsg-1~deb11u5 \|\| =12.22.12~dfsg-1~deb11u6 \|\| =12.22.12~dfsg-1~deb11u7 \|\| =12.22.12~dfsg-1~deb11u8 \|\| =12.22.4~dfsg-1 \|\| =12.22.5~dfsg-1 \|\| =12.22.5~dfsg-2 \|\| =12.22.5~dfsg-2~11u1 \|\| =12.22.5~dfsg-3 \|\| =12.22.5~dfsg-4 \|\| =12.22.5~dfsg-5 \|\| =12.22.5~dfsg-6 \|\| =12.22.5~dfsg-7 \|\| =12.22.7~dfsg-1 \|\| =12.22.7~dfsg-2 \|\| =12.22.9~dfsg-1 \|\| =14.11.0~dfsg-1 \|\| =14.11.0~dfsg-2 \|\| =14.12.0~dfsg-1 \|\| =14.13.0~dfsg-1 \|\| =14.16.0~dfsg-1 \|\| =14.16.1~dfsg-1 \|\| =14.17.0~dfsg-1 \|\| =14.17.0~dfsg-2 \|\| =14.4.0~dfsg-1 \|\| =14.4.0~dfsg-2 \|\| =14.7.0~dfsg-1 \|\| =14.8.0~dfsg-1 \|\| =14.9.0~dfsg-1 \|\| =16.11.1~dfsg-1 \|\| =16.13.0~dfsg-1 \|\| =16.13.0~dfsg-2 \|\| =16.13.0~dfsg-3 \|\| =16.13.0~dfsg-4 \|\| =16.13.0~dfsg-5 \|\| =16.13.2+really14.19.0~dfsg-1 \|\| =16.13.2+really14.19.0~dfsg-2 \|\| =16.13.2+really14.19.1~dfsg-1 \|\| =16.13.2+really14.19.1~dfsg-2 \|\| =16.13.2+really14.19.1~dfsg-3 \|\| =16.13.2+really14.19.1~dfsg-4 \|\| =16.13.2+really14.19.1~dfsg-5 \|\| =16.13.2+really14.19.1~dfsg-6 \|\| =16.13.2~dfsg-1 \|\| =16.13.2~dfsg-2 \|\| =16.14.2+dfsg-1 \|\| =16.14.2+dfsg-2 \|\| =16.14.2+dfsg-3 \|\| =16.14.2+dfsg-4 \|\| =16.14.2+dfsg-5 \|\| =16.14.2+dfsg1-1 \|\| =16.15.0+dfsg-1 \|\| =16.15.1+dfsg-1 \|\| =18.10.0+dfsg-1 \|\| =18.10.0+dfsg-2 \|\| =18.10.0+dfsg-3 \|\| =18.10.0+dfsg-4 \|\| =18.10.0+dfsg-5 \|\| =18.10.0+dfsg-6 \|\| =18.11.0+dfsg-1 \|\| =18.11.0+dfsg-2 \|\| =18.11.0+dfsg-3 \|\| =18.11.0+dfsg-4 \|\| =18.12.0+dfsg-1 \|\| =18.12.1+dfsg-1 \|\| =18.12.1+dfsg-2 \|\| =18.12.1+dfsg-2+0.riscv64.1 \|\| =18.13.0+dfsg-1 \|\| =18.13.0+dfsg1-1 \|\| =18.13.0+dfsg1-1.1 \|\| =18.19.0+dfsg-1 \|\| =18.19.0+dfsg-2 \|\| =18.19.0+dfsg-3 \|\| =18.19.0+dfsg-4 \|\| =18.19.0+dfsg-5 \|\| =18.19.0+dfsg-6 \|\| =18.19.0+dfsg-6~deb12u1 \|\| =18.19.0+dfsg-6~deb12u2 \|\| =18.19.1+dfsg-1 \|\| =18.19.1+dfsg-2 \|\| =18.19.1+dfsg-3 \|\| =18.19.1+dfsg-3.1 \|\| =18.19.1+dfsg-4 \|\| =18.19.1+dfsg-6 \|\| =18.20.1+dfsg-1 \|\| =18.20.1+dfsg-2 \|\| =18.20.1+dfsg-3 \|\| =18.20.1+dfsg-4 \|\| =18.20.4+dfsg-1~deb12u1 \|\| =18.20.4+dfsg-1~deb12u2 \|\| =18.3.0+dfsg-1 \|\| =18.4.0+dfsg-1 \|\| =18.4.0+dfsg-2 \|\| =18.6.0+dfsg-1 \|\| =18.6.0+dfsg-2 \|\| =18.6.0+dfsg-3 \|\| =18.6.0+dfsg-4 \|\| =18.6.0+dfsg-5 \|\| =18.7.0+dfsg-1 \|\| =18.7.0+dfsg-4 \|\| =18.7.0+dfsg-5 \|\| =18.8.0+dfsg-1 \|\| =20.10.0+dfsg-1 \|\| =20.12.2+dfsg-1 \|\| =20.13.0+dfsg-1 \|\| =20.13.1+dfsg-1 \|\| =20.13.1+dfsg-2 \|\| =20.14.0+dfsg-1 \|\| =20.14.0+dfsg-2 \|\| =20.14.0+dfsg-3 \|\| =20.15.0+dfsg-1 \|\| =20.15.1+dfsg-1 \|\| =20.16.0+dfsg-1 \|\| =20.17.0+dfsg-1 \|\| =20.17.0+dfsg-2 \|\| =20.18.0+dfsg-1 \|\| =20.18.0+dfsg-2 \|\| =20.18.1+dfsg-1 \|\| =20.18.1+dfsg-2 \|\| =20.18.2+dfsg-1 \|\| =20.18.2+dfsg-2 \|\| =20.18.2+dfsg-3 \|\| =20.18.2+dfsg-4 \|\| =20.18.3+dfsg-1 \|\| =20.19.0+dfsg-1 \|\| =20.19.0+dfsg-2 \|\| =20.19.0+dfsg1-1 \|\| =20.19.2+dfsg-1 \|\| =20.19.4+dfsg-1 \|\| =20.19.5+dfsg+~cs20.19.12-1 \|\| =20.19.5+dfsg+~cs20.19.12-2 \|\| =20.19.5+dfsg+~cs20.19.12-3 \|\| =20.19.5+dfsg+~cs20.19.12-4 \|\| =20.19.5+dfsg+~cs20.19.24-1 \|\| =22.12.0+dfsg-1 \|\| =22.12.0+dfsg-2 \|\| =22.12.0+dfsg-3 \|\| =22.14.0+dfsg-1 \|\| =22.18.0+dfsg+~cs22.17.2-1 \|\| =22.18.0+dfsg+~cs22.17.2-2 \|\| =22.18.0+dfsg-1 \|\| =22.19.0+dfsg+~cs22.18.0-1 \|\| =22.21.1+dfsg+~cs22.19.0-1 \|\| =22.21.1+dfsg+~cs22.19.0-2 \|\| =22.21.1+dfsg+~cs22.19.0-3 \|\| =22.21.1+dfsg+~cs22.19.0-4 \|\| =22.21.1+dfsg+~cs22.19.0-5 \|\| =22.21.1+dfsg+~cs22.19.0-6 \|\| =22.22.0+dfsg+~cs22.19.13-1 \|\| =22.22.0+dfsg+~cs22.19.13-2 \|\| =22.22.0+dfsg+~cs22.19.6-1 \|\| =22.22.1+dfsg+~cs22.19.15-1 \|\| =22.22.2+dfsg+~cs22.19.15-1 \|\| =22.22.2+dfsg+~cs22.19.15-3 \|\| =24.11.1+dfsg+~cs24.10.1-1 \|\| =24.11.1+dfsg+~cs24.10.1-2 \|\| =24.12.0+dfsg+~cs24.10.4-1 \|\| =24.13.0+dfsg+~cs24.10.7-1 \|\| =24.13.0+dfsg+~cs24.10.7-2 \|\| =24.14.0+dfsg+~cs24.12.0-1 \|\| =24.14.0+dfsg+~cs24.12.0-2 \|\| =24.14.1+dfsg+~cs24.12.0-1 \|\| =24.15.0+dfsg+~cs24.12.2-1 \|\| =24.16.0+dfsg+~cs24.13.1-1 \|\| =24.16.0+dfsg+~cs24.13.1-2 \|\| =24.17.0+dfsg+~cs24.13.2-1	-
debian 12	nodejs	=18.13.0+dfsg1-1 \|\| =18.13.0+dfsg1-1.1 \|\| =18.19.0+dfsg-1 \|\| =18.19.0+dfsg-2 \|\| =18.19.0+dfsg-3 \|\| =18.19.0+dfsg-4 \|\| =18.19.0+dfsg-5 \|\| =18.19.0+dfsg-6 \|\| =18.19.0+dfsg-6~deb12u1 \|\| =18.19.0+dfsg-6~deb12u2 \|\| =18.19.1+dfsg-1 \|\| =18.19.1+dfsg-2 \|\| =18.19.1+dfsg-3 \|\| =18.19.1+dfsg-3.1 \|\| =18.19.1+dfsg-4 \|\| =18.19.1+dfsg-6 \|\| =18.20.1+dfsg-1 \|\| =18.20.1+dfsg-2 \|\| =18.20.1+dfsg-3 \|\| =18.20.1+dfsg-4 \|\| =18.20.4+dfsg-1~deb12u1 \|\| =18.20.4+dfsg-1~deb12u2 \|\| =20.10.0+dfsg-1 \|\| =20.12.2+dfsg-1 \|\| =20.13.0+dfsg-1 \|\| =20.13.1+dfsg-1 \|\| =20.13.1+dfsg-2 \|\| =20.14.0+dfsg-1 \|\| =20.14.0+dfsg-2 \|\| =20.14.0+dfsg-3 \|\| =20.15.0+dfsg-1 \|\| =20.15.1+dfsg-1 \|\| =20.16.0+dfsg-1 \|\| =20.17.0+dfsg-1 \|\| =20.17.0+dfsg-2 \|\| =20.18.0+dfsg-1 \|\| =20.18.0+dfsg-2 \|\| =20.18.1+dfsg-1 \|\| =20.18.1+dfsg-2 \|\| =20.18.2+dfsg-1 \|\| =20.18.2+dfsg-2 \|\| =20.18.2+dfsg-3 \|\| =20.18.2+dfsg-4 \|\| =20.18.3+dfsg-1 \|\| =20.19.0+dfsg-1 \|\| =20.19.0+dfsg-2 \|\| =20.19.0+dfsg1-1 \|\| =20.19.2+dfsg-1 \|\| =20.19.4+dfsg-1 \|\| =20.19.5+dfsg+~cs20.19.12-1 \|\| =20.19.5+dfsg+~cs20.19.12-2 \|\| =20.19.5+dfsg+~cs20.19.12-3 \|\| =20.19.5+dfsg+~cs20.19.12-4 \|\| =20.19.5+dfsg+~cs20.19.24-1 \|\| =22.12.0+dfsg-1 \|\| =22.12.0+dfsg-2 \|\| =22.12.0+dfsg-3 \|\| =22.14.0+dfsg-1 \|\| =22.18.0+dfsg+~cs22.17.2-1 \|\| =22.18.0+dfsg+~cs22.17.2-2 \|\| =22.18.0+dfsg-1 \|\| =22.19.0+dfsg+~cs22.18.0-1 \|\| =22.21.1+dfsg+~cs22.19.0-1 \|\| =22.21.1+dfsg+~cs22.19.0-2 \|\| =22.21.1+dfsg+~cs22.19.0-3 \|\| =22.21.1+dfsg+~cs22.19.0-4 \|\| =22.21.1+dfsg+~cs22.19.0-5 \|\| =22.21.1+dfsg+~cs22.19.0-6 \|\| =22.22.0+dfsg+~cs22.19.13-1 \|\| =22.22.0+dfsg+~cs22.19.13-2 \|\| =22.22.0+dfsg+~cs22.19.6-1 \|\| =22.22.1+dfsg+~cs22.19.15-1 \|\| =22.22.2+dfsg+~cs22.19.15-1 \|\| =22.22.2+dfsg+~cs22.19.15-3 \|\| =24.11.1+dfsg+~cs24.10.1-1 \|\| =24.11.1+dfsg+~cs24.10.1-2 \|\| =24.12.0+dfsg+~cs24.10.4-1 \|\| =24.13.0+dfsg+~cs24.10.7-1 \|\| =24.13.0+dfsg+~cs24.10.7-2 \|\| =24.14.0+dfsg+~cs24.12.0-1 \|\| =24.14.0+dfsg+~cs24.12.0-2 \|\| =24.14.1+dfsg+~cs24.12.0-1 \|\| =24.15.0+dfsg+~cs24.12.2-1 \|\| =24.16.0+dfsg+~cs24.13.1-1 \|\| =24.16.0+dfsg+~cs24.13.1-2 \|\| =24.17.0+dfsg+~cs24.13.2-1	-
debian 13	nodejs	=20.19.2+dfsg-1 \|\| =20.19.2+dfsg-1+deb13u1 \|\| =20.19.2+dfsg-1+deb13u2 \|\| =20.19.4+dfsg-1 \|\| =20.19.5+dfsg+~cs20.19.12-1 \|\| =20.19.5+dfsg+~cs20.19.12-2 \|\| =20.19.5+dfsg+~cs20.19.12-3 \|\| =20.19.5+dfsg+~cs20.19.12-4 \|\| =20.19.5+dfsg+~cs20.19.24-1 \|\| =22.12.0+dfsg-1 \|\| =22.12.0+dfsg-2 \|\| =22.12.0+dfsg-3 \|\| =22.14.0+dfsg-1 \|\| =22.18.0+dfsg+~cs22.17.2-1 \|\| =22.18.0+dfsg+~cs22.17.2-2 \|\| =22.18.0+dfsg-1 \|\| =22.19.0+dfsg+~cs22.18.0-1 \|\| =22.21.1+dfsg+~cs22.19.0-1 \|\| =22.21.1+dfsg+~cs22.19.0-2 \|\| =22.21.1+dfsg+~cs22.19.0-3 \|\| =22.21.1+dfsg+~cs22.19.0-4 \|\| =22.21.1+dfsg+~cs22.19.0-5 \|\| =22.21.1+dfsg+~cs22.19.0-6 \|\| =22.22.0+dfsg+~cs22.19.13-1 \|\| =22.22.0+dfsg+~cs22.19.13-2 \|\| =22.22.0+dfsg+~cs22.19.6-1 \|\| =22.22.1+dfsg+~cs22.19.15-1 \|\| =22.22.2+dfsg+~cs22.19.15-1 \|\| =22.22.2+dfsg+~cs22.19.15-3 \|\| =24.11.1+dfsg+~cs24.10.1-1 \|\| =24.11.1+dfsg+~cs24.10.1-2 \|\| =24.12.0+dfsg+~cs24.10.4-1 \|\| =24.13.0+dfsg+~cs24.10.7-1 \|\| =24.13.0+dfsg+~cs24.10.7-2 \|\| =24.14.0+dfsg+~cs24.12.0-1 \|\| =24.14.0+dfsg+~cs24.12.0-2 \|\| =24.14.1+dfsg+~cs24.12.0-1 \|\| =24.15.0+dfsg+~cs24.12.2-1 \|\| =24.16.0+dfsg+~cs24.13.1-1 \|\| =24.16.0+dfsg+~cs24.13.1-2 \|\| =24.17.0+dfsg+~cs24.13.2-1	-
debian 14	nodejs	=20.19.2+dfsg-1 \|\| =20.19.4+dfsg-1 \|\| =20.19.5+dfsg+~cs20.19.12-1 \|\| =20.19.5+dfsg+~cs20.19.12-2 \|\| =20.19.5+dfsg+~cs20.19.12-3 \|\| =20.19.5+dfsg+~cs20.19.12-4 \|\| =20.19.5+dfsg+~cs20.19.24-1 \|\| =22.12.0+dfsg-1 \|\| =22.12.0+dfsg-2 \|\| =22.12.0+dfsg-3 \|\| =22.14.0+dfsg-1 \|\| =22.18.0+dfsg+~cs22.17.2-1 \|\| =22.18.0+dfsg+~cs22.17.2-2 \|\| =22.18.0+dfsg-1 \|\| =22.19.0+dfsg+~cs22.18.0-1 \|\| =22.21.1+dfsg+~cs22.19.0-1 \|\| =22.21.1+dfsg+~cs22.19.0-2 \|\| =22.21.1+dfsg+~cs22.19.0-3 \|\| =22.21.1+dfsg+~cs22.19.0-4 \|\| =22.21.1+dfsg+~cs22.19.0-5 \|\| =22.21.1+dfsg+~cs22.19.0-6 \|\| =22.22.0+dfsg+~cs22.19.13-1 \|\| =22.22.0+dfsg+~cs22.19.13-2 \|\| =22.22.0+dfsg+~cs22.19.6-1 \|\| =22.22.1+dfsg+~cs22.19.15-1 \|\| =22.22.2+dfsg+~cs22.19.15-1 \|\| =22.22.2+dfsg+~cs22.19.15-3 \|\| =24.11.1+dfsg+~cs24.10.1-1 \|\| =24.11.1+dfsg+~cs24.10.1-2 \|\| =24.12.0+dfsg+~cs24.10.4-1 \|\| =24.13.0+dfsg+~cs24.10.7-1 \|\| =24.13.0+dfsg+~cs24.10.7-2 \|\| =24.14.0+dfsg+~cs24.12.0-1 \|\| =24.14.0+dfsg+~cs24.12.0-2 \|\| =24.14.1+dfsg+~cs24.12.0-1 \|\| =24.15.0+dfsg+~cs24.12.2-1 \|\| =24.16.0+dfsg+~cs24.13.1-1 \|\| =24.16.0+dfsg+~cs24.13.1-2 \|\| =24.17.0+dfsg+~cs24.13.2-1	-
alpine v3.21	nodejs	>=0 <22.23.0-r0	22.23.0-r0
alpine v3.24	nodejs	>=0 <24.17.0-r0	24.17.0-r0
alpine v3.22	nodejs	>=0 <22.23.0-r0	22.23.0-r0

Aliases

1. CVE-2026-489372. NVD-2026-489373. OSV-DEBIAN-2026-489374. OSV-2026-489375. OSV-ALPINE-2026-489376. SECURITY-TRACKER-CVE-2026-489377. SECURITY-CVE-2026-48937

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.