Use After Free

Affecting node package, versions [16.0.0,16.6.0) || [14.0.0,14.17.4) || [12.0.0,12.22.4)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Use After Free on close http2 on stream canceling. An attacker might be able to exploit the memory corruption to change process behaviour.

Remediation

Upgrade node to version 16.6.0, 14.17.4, 12.22.4 or higher.

References

CVSS Score

8.8
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Credit
Eran Levin (exx8)
CVE
CVE-2021-22930
CWE
CWE-416
Snyk ID
SNYK-UPSTREAM-NODE-1534880
Disclosed
29 Jul, 2021
Published
29 Jul, 2021