Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer.
Conclusion & alert: CVE-2018-12121 is rated High Risk (67.9/100): CVSS High severity, with high exploitation likelihood (EPSS 10.21%, 95th percentile). Core evidence: EPSS ranks this CVE among the most likely to be exploited in the near term. EPSS rose +4.63% over the last day, indicating growing attacker interest. Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 5.57% | 10.21% | +4.63% |
| 2 | 2026-04-25 | 5.77% | 5.57% | -0.20% |
| 3 | 2026-04-18 | — | 5.77% | — |
Full EPSS history (56 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
| 5.0 | 2.0 | MEDIUM |
|
10.0 | 2.9 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2018-12121: 2 source package rows (nodejs, nodejs-current); 47 state rows across 17 repos (3.10-main, 3.11-main, 3.12-main, 3.17-community, 3.17-main, 3.18-community, 3.18-main, 3.19-community, 3.19-main, 3.20-community, 3.20-main, 3.21-community, 3.21-main, 3.22-community, 3.22-main, edge-community, edge-main); fixed 17, open 30. | https://security.alpinelinux.org/vuln/CVE-2018-12121 |
debian
|
unimportant | CVE-2018-12121 unimportant priority: Debian including 1 source packages (nodejs), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2018-12121 |
gentoo
|
normal | CVE-2018-12121: 1 GLSA(s) (202003-48), 1 atom(s) (net-libs/nodejs); latest impact normal. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2018-12121 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2018-12121 |
suse
|
medium | CVE-2018-12121 severity moderate: SUSE including 76 source package names (MozillaFirefox-68.2.0-78.51.4, MozillaFirefox-branding-SLED-68-21.9.8, …), 237 product×package rows across 32 product lines (SUSE CaaS Platform 4.0, SUSE Enterprise Storage 4, … (32 product lines)): Fixed 170, Known Not Affected 67. | https://www.suse.com/security/cve/CVE-2018-12121/ |
ubuntu
|
medium | CVE-2018-12121 medium priority: Ubuntu including 1 source packages (nodejs), 19 status rows across 19 suites (bionic, cosmic, disco, eoan, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): not-affected 14, deferred 3, ignored 1, released 1. | https://ubuntu.com/security/CVE-2018-12121 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| nodejs | node.js | >= 6.0.0, < 6.15.0 | cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* |
| nodejs | node.js | >= 8.0.0, < 8.14.0 | cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* |
| nodejs | node.js | >= 10.0.0, < 10.14.0 | cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* |
| nodejs | node.js | >= 11.0.0, < 11.3.0 | cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* |
| redhat | enterprise_linux | 8.0 | cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:-:*:*:* |
| redhat | enterprise_linux_desktop | 7.0 | cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:* |
| redhat | enterprise_linux_eus | 8.1 | cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:* |
| redhat | enterprise_linux_eus | 8.2 | cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:* |
| redhat | enterprise_linux_eus | 8.4 | cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:* |
| redhat | enterprise_linux_eus | 8.6 | cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:* |
| redhat | enterprise_linux_server | 7.0 | cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:* |
| redhat | enterprise_linux_server_aus | 8.2 | cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:* |
| redhat | enterprise_linux_server_aus | 8.4 | cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:* |
| redhat | enterprise_linux_server_aus | 8.6 | cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:*:*:*:*:*:*:* |
| redhat | enterprise_linux_server_tus | 8.2 | cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:* |
| redhat | enterprise_linux_server_tus | 8.4 | cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:* |
| redhat | enterprise_linux_server_tus | 8.6 | cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:* |
| redhat | enterprise_linux_workstation | 7.0 | cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/106043 | Third Party Advisory VDB Entry |
| https://access.redhat.com/errata/RHSA-2019:1821 | Third Party Advisory |
| https://access.redhat.com/errata/RHSA-2019:2258 | Third Party Advisory |
| https://access.redhat.com/errata/RHSA-2019:3497 | Third Party Advisory |
| https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ | Patch Vendor Advisory |
| https://security.gentoo.org/glsa/202003-48 | Third Party Advisory |
| https://security.netapp.com/advisory/ntap-20241227-0008/ |