1. August 2021

This article has been indexed from E Hacking News – Latest Hacker News and IT Security News

Node.js has released patches for a high-severity vulnerability that could be used by attackers to corrupt the process and cause unexpected behaviour including application crashes and possibly remote code execution (RCE). The CVE-2021-22930 use-after-free vulnerability affects the way HTTP2 streams are handled in the language. 

Node.js is a back-end JavaScript runtime environment that runs on the V8 engine and executes JavaScript code outside of a browser. Node.js allows developers to utilise JavaScript to create command-line tools and server-side scripting, which involves running scripts on the server before sending the page to the user’s browser. This week, Node.js released patches for CVE-2021-22930, a high-severity use-after-free vulnerability. 

When a programme tries to access a resource at a memory address that has already been freed and no longer holds the resource, it is called a use-after-free vulnerability. In some situations, this might result in data corruption, unexpected behaviours including programme crashes, or even remote code execution (RCE). The changes were included in the most recent Node.js release 16.6.0, as well as versions 12.22.4 (LTS) and 14.17.4. (LTS). This flaw was discovered by Eran Levin, who is credited with reporting it. 

“We normally like to give advance notice and provide releases in which the only changes are security fixes, but since this vulnerability was already public we felt it was more important to get this fix out fast in releases that were already planned,” announced Red Hat principal software engineer and NodeJS Technical Steering Committee (TSC) member Daniel Bevenius. 

Read the original article: Node.js Pushes Out Immediate Fixes for the Severe HTTP Bug