Masu haɓaka dandalin JavaScript-gefen sabar Node.js sun buga gyara gyara 12.22.4, 14.17.4 da 16.6.0, wanda wani bangare ya gyara wani rauni (CVE-2021-22930) a cikin http2 module (HTTP/2.0 abokin ciniki) , wanda ke ba ka damar fara ɓarna ko yuwuwar tsara aiwatar da lambar ku a cikin tsarin lokacin samun damar rundunar da maharin ke sarrafawa.
Matsalar tana faruwa ne ta hanyar samun damar ƙwaƙwalwar ajiya da aka riga aka warware yayin rufe haɗin gwiwa bayan karɓar firam ɗin RST_STREAM (sake saitin zaren) don zaren da ke yin aikin karantawa mai zurfi wanda toshe ya rubuta. Idan an karɓi firam ɗin RST_STREAM ba tare da ƙayyadadden lambar kuskure ba, ƙirar http2 kuma tana kiran tsarin tsaftacewa don bayanan da aka riga aka karɓa, daga inda ake sake kiran mai kula da rufewa don rafi da aka riga aka rufe, wanda ke haifar da sakin tsarin bayanai sau biyu.
Tattaunawar faci ta lura cewa matsalar ba a gama warware ta gaba ɗaya ba kuma, a ƙarƙashin ɗan gyare-gyaren yanayi, tana ci gaba da bayyana a sabuntawar da aka buga. Binciken ya nuna cewa gyara kawai yana rufe ɗaya daga cikin lokuta na musamman - lokacin da zaren yana cikin yanayin karatu, amma ba ya la'akari da wasu jihohin zaren (karantawa da dakatarwa, dakatarwa da wasu nau'ikan rubutu).
source: budenet.ru