How the CVE Works:
CVE-2021-22931 is a critical vulnerability in Node.js that allows remote attackers to execute arbitrary code due to improper input validation in the `http2` module. The flaw arises when handling large HTTP/2 headers, leading to a buffer overflow. Attackers can exploit this by sending a maliciously crafted HTTP/2 request, triggering memory corruption and potentially gaining control over the target system. This vulnerability affects applications using the `http2` module without proper input sanitization, enabling unauthenticated RCE under certain configurations.
DailyCVE Form:
Platform: Node.js
Version: 12.x – 16.x
Vulnerability: HTTP/2 RCE
Severity: Critical
Date: 2021-09-29
What Undercode Say:
Analytics:
- Affects Node.js 12.22.0 to 16.6.1.
- Exploitable via HTTP/2 server/client implementations.
- CVSS Score: 9.8 (Critical).
Exploit Commands:
Craft malicious HTTP/2 request
curl --http2 -H "Large-Header: $(python -c 'print("A"10000)')" http://target
Detection:
const http2 = require('http2');
if (process.versions.node.split('.')[bash] < 16 || (process.versions.node.split('.')[bash] == 16 && process.versions.node.split('.')[bash] < 7)) {
console.log("Vulnerable to CVE-2021-22931");
}
Mitigation:
Upgrade Node.js nvm install 16.7.0
Protection Code:
const server = http2.createSecureServer({
maxHeaderSize: 8192 // Enforce header size limit
});
Firewall Rule:
Block oversized HTTP/2 headers iptables -A INPUT -p tcp --dport 443 -m string --string "Large-Header:" --algo bm -j DROP
Log Monitoring:
Check for exploitation attempts
grep -E 'Large-Header: .{1000,}' /var/log/nginx/access.log
Patch Verification:
node -v | grep -E '16.7.0|14.17.5|12.22.9'
Exploit Prevention:
- Disable HTTP/2 if unused.
- Implement WAF rules to filter malicious headers.
- Enforce strict input validation in `http2` handlers.
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-1667
Extra Source Hub:
Undercode
