CVE-2021-22940
CVE-2021-22940
In short
Node.js has a memory bug where freed memory can still be accessed, allowing attackers to corrupt memory and change how the program behaves. This can lead to crashes or unexpected actions.
Technical detail
Use-after-free vulnerability in Node.js runtime allows attackers to access memory regions that have been deallocated, potentially enabling arbitrary code execution or process manipulation. The attack vector involves crafting inputs that trigger the freed memory access, with impact depending on the memory layout and process execution context.
Summary generated and translated by AI from the official description.
Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
Affected products
NodeJS · NodeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfhttps://hackerone.com/reports/1238162https://lists.debian.org/debian-lts-announce/2022/10/msg00006.htmlhttps://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/https://security.gentoo.org/glsa/202401-02https://security.netapp.com/advisory/ntap-20210923-0001/https://www.oracle.com/security-alerts/cpujan2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.html