The Wire · Showcase
HTTP2 HEAP-USE-AFTER-FREE FIX LANDS IN NODE CORE
By RepoJournal · Filed · About Node.js
Node shipped a critical fix for a heap-use-after-free vulnerability in HTTP/2 stream handling that could crash servers under specific receive-and-send patterns.
The HTTP/2 team patched a nasty UAF in nghttp2_session_mem_recv() where RST_STREAM frames were being processed while nghttp2 was still iterating over streams [1]. The fix defers RST_STREAM handling until receive operations complete, preventing the session from closing streams that the underlying library is still touching. This is the kind of subtle memory safety issue that can stay dormant for years then explode under load. Beyond core, the team also landed documentation improvements covering TLS alpnProtocol and servername fields [2], finally giving these long-present properties the explicit coverage they deserved. Minor hygiene work continues across the codebase with comment and doc typo corrections [3] [4]. The nightly build pipeline remains active [5].
Action items
- → Pull the HTTP/2 UAF fix [ref:2] into your next release branch nodejs/node [immediate]
- → Review TLS alpnProtocol documentation updates [ref:6] if you expose these fields to users nodejs/node [plan]
References
- [1] http2: avoid uaf while receiving and sending rst_stream ↗ nodejs/node
- [2] doc: document TLS alpnProtocol and servername fields ↗ nodejs/node
- [3] src: fix comment typos nodejs/node
- [4] doc: fix typos in contributing docs nodejs/node
- [5] snap: (auto) updated to 27.0.0-nightly20260718b8f81e9760 nodejs/snap