Node.js RCE Vulnerability Let Attackers Exploit & Crash The Apps

Recently, a security researcher Matthew Douglass have detected a use-after-free vulnerability in Node.js (an RCE Vulnerability) which is marked with a tag of high severity, and experts have tracked this as:-

Use-after-free on close http2 on stream canceling (High) (CVE-2021-22930)

However, Node.js has already released the security update for this high severity vulnerability, and apart from this, they claimed that to corrupt the process and provoke unexpected behaviors this flaw could be exploited by the threat actors.

At a memory location that has been beforehand discharged and no longer holds any resources here at this point when a program attempts to access those resources the use-after-free vulnerabilities emerge.

Moreover, this use-after-free vulnerability (CVE-2021-22930) could lead to the following things:-

  • Data corruption
  • Application crashes
  • Abnormal behavior of apps
  • Remote code execution (RCE)

Fixes for the flaw

In the most advanced Node.js release 16.6.0, the security fix for this severe flaw arrived. And not only this, even they were also backported to the following versions:-

  • 12.22.4 (LTS)
  • 14.17.4 (LTS)

Daniel Bevenius, the principal software engineer of Red Hat and a member of the NodeJS Technical Steering Committee (TSC) has affirmed the following statement:-

“We normally like to give advance notice and provide releases in which the only changes are security fixes, but since this vulnerability was already public we felt it was more important to get this fix out fast in releases that were already planned.”

While nullifying HTTP connections this bug triggered

The security expert also claimed that with no error or cancel code where the Node.js parsed incoming RST_STREAM frames, in this case, this vulnerability was triggered.

The RST_STREAM frame is actually sent to terminate a connection in the applications that are based on the HTTP/2 protocol.

To make it more clear let me present an example, suppose if a client app aspires to end the connection in a client-server architecture, then it will send the RST_STREAM frame to the server.

However, the receiver would strive to “force purge” any data received when the server receives an RST_STREAM frame with a “cancel” code (nghttp2_cancel).

Downloads and release details

Here is the list of downloads and release details mentioned below:-

Node.js v12.22.4 (LTS)

Node.js v14.17.4 (LTS)

Node.js v16.6.0 (Current)

While apart from this, the cybersecurity analysts have strongly recommended the Node.js users upgrade their old versions to the latest version or a patched backported version.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.