Server JavaScript platform developers Node.js published corrective releases v12.22.4 12.22.4 , 14.17.4 and 16.6.0 , in which partially eliminated vulnerability ( CVE-2021-22930 ) in the HTTP2 module (HTTP / 2.0 client), allowing to initiate collapse Process or potentially organize the execution of your code in the system when contacting the host attacker controlled by the attacker.
Problem is called by calling to an already released memory area when the connection is closed after receiving specially decorated RST_STREAM frames for streams, in which are performed intensive read operations that block recording. If RST_STREAM is received (reset flow) without specifying the error code, the HTTP2 module additionally calls the cleaning procedure already The data obtained from which the closing handler is reused for already a closed stream, which leads to a dual release of data structures.
In the discussion of the correction is noted that the problem is not completely eliminated and with some changed conditions continues to manifest At least in the version of Node.js 12.22.4. The analysis showed that the correction closes only one of the special cases – when the flow is in read mode, does not take into account other stream states (reading and suspension, suspension and some types of recording).