Node.js has launched updates for a excessive severity vulnerability that might be exploited by attackers to deprave the method and trigger surprising behaviors, corresponding to software crashes and probably distant code execution (RCE).
The use-after-free vulnerability, tracked as CVE-2021-22930 is to do with how HTTP2 streams are dealt with within the language.
Node.js pushes out fast fixes for the flaw
This week Node.js has pushed out fixes for prime severity, use-after-free vulnerability, tracked as CVE-2021-22930.
Use-after-free vulnerabilities happen when a program tries to entry a useful resource at a reminiscence tackle that has been beforehand freed and not holds the useful resource.
This may result in information corruption, or surprising behaviors corresponding to software crashes, and even distant code execution (RCE) in some circumstances.
The fixes landed within the newest Node.js launch 16.6.0 and have been additionally backported to variations 12.22.4 (LTS) and 14.17.4 (LTS).
The repair proven under has been utilized throughout a number of Node.js branches to squash the use-after-free vulnerability:
Eran Levin has been credited with reporting this vulnerability.
The abrupt replace launch for a excessive severity vulnerability is defined by the very fact discussions across the vulnerability have been already public:
“We usually like to provide advance discover and supply releases through which the one modifications are safety fixes, however since this vulnerability was already public we felt it was extra essential to get this repair out quick in releases that have been already deliberate,” announced Crimson Hat principal software program engineer and NodeJS Technical Steering Committee (TSC) member Daniel Bevenius.
Bug triggered when aborting HTTP connections
The vulnerability was triggered in circumstances the place Node.js parsed incoming RST_STREAM frames, with no error code or a cancel code.
In purposes based mostly on the HTTP/2 protocol, RST_STREAM body is distributed by the host meaning to terminate a connection.
For instance, in a client-server structure, if a consumer software needs to finish the connection, it could ship an RST_STREAM body to a server.
On receiving the body, the server will stop responding to the consumer, finally aborting the connection. Any “DATA” frames obtained by the consumer may then be discarded.
However within the case of weak Node.js variations, when an RST_STREAM body was obtained with a “cancel” code (nghttp2_cancel), the receiver would attempt to “power purge” any information obtained.
And, as soon as this was carried out, an computerized callback would moreover run the “shut” perform, trying to liberate the reminiscence a second time—which had already been freed within the final step.
This double-free error—beforehand regarded as a “bug” reasonably than an exploitable vulnerability, was reported on June eighth, 2021 by Matthew Douglass on a public thread.
Douglass was in a position to reproduce the bug 100% of the time on his system, leading to software crashes.
The dialogue ensued for properly over a month between Douglass and Node.js contributors:
“The problem appears to be due to the dealing with of the RST_STREAM body obtained with no error code and cancel error code.”
“The node tries to power course of it and purge any present information for the stream. This causes nghttp2 to shut the already destroyed stream inflicting the double-free error,” responded GitHub person kumarak.
The repair rolled out as a substitute provides the incoming stream of RST_STREAM frames to a queue and processes the queue as soon as it’s protected to take action. This could forestall any double-free or use-after-free errors.
Node.js customers ought to improve to the newest model 16.6.0, or a patched backported model.