Node.js has published updates for a high-severity flaw that could be exploited by threat actors to corrupt the process and create unexpected behavior including application crashes and possibly remote code execution (RCE).
The user-after-free flaw tracked as CVE-2021-22930 affects the way HTTP2 streams are handled in the language. The changes were included in the most recent Node.js release 16.6.0, as well as versions 12.22.4 (LTS) and 14.17.4. (LTS).
The vulnerability was triggered when Node.js read incoming RST_STREAM frames, with no cancel code or error code.
To Read More: bleepingcomputer
For more such updates follow us on Google News ITsecuritywire News.