Update to v18.18.2 or v20.8.1 immediately: nghttp2 rapid-reset DoS affects all HTTP/2 servers, undici leaks cookies on cross-origin redirects.
Summary
HTTP/2 servers in production are exposed to denial-of-service via stream cancellation without bounds. Cookie leakage through redirect chains breaks assumed browser security boundaries in fetch implementations.
Why it matters
HTTP/2 servers in production are exposed to denial-of-service via stream cancellation without bounds. Cookie leakage through redirect chains breaks assumed browser security boundaries in fetch implementations.
Implementation verdict
Requires immediate patch: pull v18.18.2 or v20.8.1. No configuration workaround. Blocks production HTTP/2 deployments until applied. Permission model and policy features (experimental) also patched but lower blast radius.
Sources
Dev Signal
Get briefs like this in your inbox — free, every weekday.
100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.