Fluid Attacks Database

Description

A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.

This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	nodejs	=18.13.0+dfsg1-1 \|\| =18.13.0+dfsg1-1.1 \|\| =18.19.0+dfsg-1 \|\| =18.19.0+dfsg-2 \|\| =18.19.0+dfsg-3 \|\| =18.19.0+dfsg-4 \|\| =18.19.0+dfsg-5 \|\| =18.19.0+dfsg-6 \|\| =18.19.0+dfsg-6~deb12u1 \|\| =18.19.0+dfsg-6~deb12u2 \|\| =18.19.1+dfsg-1 \|\| =18.19.1+dfsg-2 \|\| =18.19.1+dfsg-3 \|\| =18.19.1+dfsg-3.1 \|\| =18.19.1+dfsg-4 \|\| =18.19.1+dfsg-6 \|\| =18.20.1+dfsg-1 \|\| =18.20.1+dfsg-2 \|\| =18.20.1+dfsg-3 \|\| =18.20.1+dfsg-4 \|\| =18.20.4+dfsg-1~deb12u1 \|\| >=0 <18.20.4+dfsg-1~deb12u2	18.20.4+dfsg-1~deb12u2
rpm rhel8	nodejs	-	-
debian 11	nodejs	=12.21.0~dfsg-5 \|\| =12.22.10~dfsg-1 \|\| =12.22.10~dfsg-2 \|\| =12.22.12~dfsg-1~deb11u1 \|\| =12.22.12~dfsg-1~deb11u2 \|\| =12.22.12~dfsg-1~deb11u3 \|\| =12.22.12~dfsg-1~deb11u4 \|\| =12.22.12~dfsg-1~deb11u5 \|\| =12.22.12~dfsg-1~deb11u6 \|\| =12.22.12~dfsg-1~deb11u7 \|\| =12.22.4~dfsg-1 \|\| =12.22.5~dfsg-1 \|\| =12.22.5~dfsg-2 \|\| =12.22.5~dfsg-2~11u1 \|\| =12.22.5~dfsg-3 \|\| =12.22.5~dfsg-4 \|\| =12.22.5~dfsg-5 \|\| =12.22.5~dfsg-6 \|\| =12.22.5~dfsg-7 \|\| =12.22.7~dfsg-1 \|\| =12.22.7~dfsg-2 \|\| =12.22.9~dfsg-1 \|\| >=0 <12.22.12~dfsg-1~deb11u8	12.22.12~dfsg-1~deb11u8
alpine v3.22	nodejs	=22.11.0-r0 \|\| =22.11.0-r1 \|\| =22.11.0-r2 \|\| =22.13.1-r0 \|\| =22.13.1-r1 \|\| =22.13.1-r2 \|\| =22.13.1-r3 \|\| =22.13.1-r4 \|\| =22.13.1-r5 \|\| =22.16.0-r0 \|\| =22.16.0-r1 \|\| =22.16.0-r2 \|\| =22.22.0-r0 \|\| >=0 <22.22.2-r0	22.22.2-r0
rpm rhel9	nodejs	-	-
debian 14	nodejs	=20.19.2+dfsg-1 \|\| =20.19.4+dfsg-1 \|\| =20.19.5+dfsg+~cs20.19.12-1 \|\| =20.19.5+dfsg+~cs20.19.12-2 \|\| =20.19.5+dfsg+~cs20.19.12-3 \|\| =20.19.5+dfsg+~cs20.19.12-4 \|\| =20.19.5+dfsg+~cs20.19.24-1 \|\| =22.12.0+dfsg-1 \|\| =22.12.0+dfsg-2 \|\| =22.12.0+dfsg-3 \|\| =22.14.0+dfsg-1 \|\| =22.18.0+dfsg+~cs22.17.2-1 \|\| =22.18.0+dfsg+~cs22.17.2-2 \|\| =22.18.0+dfsg-1 \|\| =22.19.0+dfsg+~cs22.18.0-1 \|\| =22.21.1+dfsg+~cs22.19.0-1 \|\| =22.21.1+dfsg+~cs22.19.0-2 \|\| =22.21.1+dfsg+~cs22.19.0-3 \|\| =22.21.1+dfsg+~cs22.19.0-4 \|\| =22.21.1+dfsg+~cs22.19.0-5 \|\| =22.21.1+dfsg+~cs22.19.0-6 \|\| =22.22.0+dfsg+~cs22.19.13-1 \|\| =22.22.0+dfsg+~cs22.19.13-2 \|\| =22.22.0+dfsg+~cs22.19.6-1 \|\| =22.22.1+dfsg+~cs22.19.15-1 \|\| >=0 <22.22.2+dfsg+~cs22.19.15-1	22.22.2+dfsg+~cs22.19.15-1
alpine v3.21	nodejs	=22.11.0-r0 \|\| =22.11.0-r1 \|\| =22.13.1-r0 \|\| =22.15.1-r0 \|\| >=0 <22.22.2-r0	22.22.2-r0
debian 13	nodejs	=20.19.2+dfsg-1 \|\| =20.19.2+dfsg-1+deb13u1 \|\| >=0 <20.19.2+dfsg-1+deb13u2	20.19.2+dfsg-1+deb13u2
alpine v3.23	nodejs	=22.11.0-r0 \|\| =22.11.0-r1 \|\| =22.11.0-r2 \|\| =22.13.1-r0 \|\| =22.13.1-r1 \|\| =22.13.1-r2 \|\| =22.13.1-r3 \|\| =22.13.1-r4 \|\| =22.13.1-r5 \|\| =22.16.0-r0 \|\| =22.16.0-r1 \|\| =22.16.0-r2 \|\| =22.16.0-r3 \|\| =22.19.0-r3 \|\| =22.19.0-r4 \|\| =22.21.0-r0 \|\| =24.11.1-r0 \|\| =24.13.0-r0 \|\| =24.13.0-r1 \|\| >=0 <24.14.1-r0	24.14.1-r0
rpm rhel10	nodejs22	-	-

1-10 of 11

Aliases

1. CVE-2026-217142. NVD-2026-217143. OSV-DEBIAN-2026-217144. OSV-2026-217145. OSV-ALPINE-2026-217146. SECURITY-TRACKER-CVE-2026-217147. SECURITY-CVE-2026-21714

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.