ALPINE-CVE-2020-11080

Advisory lineage Upstream: 1 Downstream: 0
Upstream
CVE-2020-11080
Published: 03 Jun 2020, 23:15
Last modified:03 Dec 2025, 22:48

Vulnerability Summary

Overall Risk (default)
medium
30/100
CVSS Score
7.5 HIGH
3.1 (osv_alpine)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

03 Jun 2020, 23:15
Published
Vulnerability first disclosed
03 Dec 2025, 22:48
Last Modified
Vulnerability information updated

Description

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.

CVSS Metrics

  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Systems

  • alpinenghttp2

    < 1.39.2-r1 | < 1.40.0-r1 | < 1.41.0-r0 | < 1.41.0-r0 | < 1.41.0-r0 | < 1.41.0-r0 | < 1.41.0-r0 | < 1.41.0-r0 | < 1.41.0-r0 | < 1.41.0-r0 | < 1.41.0-r0 | < 1.41.0-r0 | < 1.41.0-r0 | < 1.41.0-r0 | < 1.35.1-r2

  • alpinenodejs

    < 12.20.1-r0 | < 12.18.3-r0 | < 12.18.0-r0 | < 12.18.0-r0 | < 12.18.0-r0 | < 12.18.0-r0 | < 12.18.0-r0 | < 12.18.0-r0 | < 12.18.0-r0 | < 12.18.0-r0 | < 12.18.0-r0 | < 12.18.0-r0 | < 12.18.0-r0

References (1)