Node.js has released patches for a high-severity vulnerability that could be used by attackers to corrupt the process and cause unexpected behaviour including application crashes and possibly remote code execution (RCE). The CVE-2021-22930 use-after-free vulnerability affects the way HTTP2 streams are handled in the language.
When a programme tries to access a resource at a memory address that has already been freed and no longer holds the resource, it is called a use-after-free vulnerability. In some situations, this might result in data corruption, unexpected behaviours including programme crashes, or even remote code execution (RCE). The changes were included in the most recent Node.js release 16.6.0, as well as versions 12.22.4 (LTS) and 14.17.4. (LTS). This flaw was discovered by Eran Levin, who is credited with reporting it.
“We normally like to give advance notice and provide releases in which the only changes are security fixes, but since this vulnerability was already public we felt it was more important to get this fix out fast in releases that were already planned,” announced Red Hat principal software engineer and NodeJS Technical Steering Committee (TSC) member Daniel Bevenius.
When Node.js read incoming RST_STREAM frames with no error code or cancel code, the vulnerability was exploited. In HTTP/2 applications, the RST_STREAM frame is issued by the host when it wants to close a connection. In a client-server architecture, for example, a client programme would send a RST_STREAM frame to the server to terminate the connection. When the server receives the frame, it will stop replying to the client and terminate the connection. The server might then discard any “DATA” frames it was about to send to the client.
When a RST_STREAM frame was received by the server with a “cancel” code (nghttp2_cancel) in vulnerable Node.js versions, the receiver would try to “force purge” any data received. After that, an automatic call-back would perform the “close” function a second time, aiming to free up the memory that had already been freed in the previous phase.
And, as a result of the double-free error, the application might crash or behave erratically. On June 8th, 2021, Matthew Douglass posted a public thread about this issue, which was previously considered of as a “bug” rather than an exploitable vulnerability.