Missing Release of Memory after Effective Lifetime Affecting nodejs package, versions [0,]
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Missing Release of Memory after Effective Lifetime vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-CONAN-NODEJS-15764509
- published26 Mar 2026
- disclosed26 Mar 2026
- creditgalbarnahum
Introduced: 26 Mar 2026
NewCVE-2026-21714 (opens in a new tab)How to fix?
A fix was pushed into the master branch but not yet published.
Overview
Affected versions of this package are vulnerable to Missing Release of Memory after Effective Lifetime in HTTP/2 servers that triggers when a client sends WINDOW_UPDATE frames on stream 0 that cause the flow control window to exceed $2^{31}-1$. Although the server responds with a GOAWAY frame, it fails to properly clean up the Http2Session object. An unauthenticated remote attacker can exploit this by continuously opening connections and sending these crafted frames. This forces the server to leak memory indefinitely, eventually causing resource exhaustion and a Denial of Service (DoS).