What is CVE-2021-22930?

CVE-2021-22930 is a vulnerability in Node.js that allows for a use-after-free attack, leading to memory corruption and a change in process behavior.

What is the severity of CVE-2021-22930?

CVE-2021-22930 has a severity rating of critical, with a severity value of 9.

What software versions are affected by CVE-2021-22930?

Versions before Node.js 16.6.0, 14.17.4, and 12.22.4 are affected by CVE-2021-22930.

How can I fix CVE-2021-22930?

To fix CVE-2021-22930, update to Node.js versions 16.6.0, 14.17.4, or 12.22.4.

What is a use-after-free attack?

A use-after-free attack is a type of memory corruption attack where an attacker manipulates object references after they have been freed, leading to unintended behavior and potential exploitation.

Vulnerability/
CVE-2021-22930

critical

9.8

CWE

416

29/7/2021

7/10/2021

5/1/2024

CVE-2021-22930: Use After Free

First published: Thu Jul 29 2021(Updated: )

Node.js could allow a remote attacker to bypass security restrictions, caused by a use-after-free on close http2 on stream canceling. An attacker could exploit this vulnerability to corrupt memory to change process behavior.

Credit: support@hackerone.com support@hackerone.com

Affected Software	Affected Version	How to fix
redhat/rh-nodejs14-nodejs	<0:14.17.5-1.el7	0:14.17.5-1.el7
redhat/rh-nodejs12-nodejs	<0:12.22.5-1.el7	0:12.22.5-1.el7
redhat/rh-nodejs12-nodejs-nodemon	<0:2.0.3-5.el7	0:2.0.3-5.el7
redhat/nodejs	<12.22.4	12.22.4
redhat/nodejs	<14.17.4	14.17.4
redhat/nodejs	<16.6.0	16.6.0
	>=12.0.0<12.22.4
	>=14.0.0<14.17.4
	>=16.0.0<16.6.0

	<1.0.1.1
	=10.0
Nodejs Node.js	>=12.0.0<12.22.4
Nodejs Node.js	>=14.0.0<14.17.4
Nodejs Node.js	>=16.0.0<16.6.0
Netapp Nextgen Api
Siemens Sinec Infrastructure Network Services	<1.0.1.1
Debian Debian Linux	=10.0

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2021-22930?
CVE-2021-22930 is a vulnerability in Node.js that allows for a use-after-free attack, leading to memory corruption and a change in process behavior.
What is the severity of CVE-2021-22930?
CVE-2021-22930 has a severity rating of critical, with a severity value of 9.
What software versions are affected by CVE-2021-22930?
Versions before Node.js 16.6.0, 14.17.4, and 12.22.4 are affected by CVE-2021-22930.
How can I fix CVE-2021-22930?
To fix CVE-2021-22930, update to Node.js versions 16.6.0, 14.17.4, or 12.22.4.
What is a use-after-free attack?
A use-after-free attack is a type of memory corruption attack where an attacker manipulates object references after they have been freed, leading to unintended behavior and potential exploitation.

agent/author
agent/description
agent/event
agent/first-publish-date
agent/last-modified-date
agent/references
agent/remedy
agent/severity
agent/softwarecombine
agent/tags
agent/type
agent/weakness
collector/ibm-support
collector/mitre-cve
source/MITRE
collector/nvd-api
source/NVD
agent/software-canonical-lookup
collector/nvd-index
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2021-22930
collector/redhat-cve
vendor/nodejs
canonical/nodejs node.js
version/nodejs node.js/12.0.0
version/nodejs node.js/14.0.0
version/nodejs node.js/16.0.0
vendor/netapp
canonical/netapp nextgen api
vendor/siemens
canonical/siemens sinec infrastructure network services
vendor/debian
canonical/debian debian linux
version/debian debian linux/10.0
package-manager/redhat