Security News > 2021 > July > Node.js fixes severe HTTP bug that could let attackers crash apps
Node.js has released updates for a high severity vulnerability that could be exploited by attackers to corrupt the process and cause unexpected behaviors, such as application crashes and potentially remote code execution.
In a client-server architecture, if a client application wants to end the connection, it would send an RST STREAM frame to the server.
In the case of vulnerable Node.js versions, when an RST STREAM frame was received by the server with a "Cancel" code, the receiver would try to "Force purge" any data received.
"The issue seems to be because of the handling of the RST STREAM frame received with no error code and cancel error code."
"The node tries to force process it and purge any existing data for the stream. This causes nghttp2 to close the already destroyed stream causing the double-free error," responded GitHub user kumarak.
The fix rolled out instead adds the incoming stream of RST STREAM frames to a queue and processes the queue once it is safe to do so.