Home Original page

http: fix use-after-free when freeParser is called during llhttp_execute by Flarna · Pull Request #62095 · nodejs/node

@nodejs-github-bot added c++

Issues and PRs that require attention from people who are familiar with C++.

http

Issues or PRs related to the http subsystem.

http_parser

Issues and PRs related to the HTTP Parser dependency or the http_parser binding.

needs-ci

PRs that need a full CI run.

labels

Mar 3, 2026

@Flarna Flarna changed the title http: fix use-after-free when freeParser() is called during llhttp_execute() http: fix use-after-free when freeParser is called during llhttp_execute

Mar 3, 2026

@Flarna 

When pipelined requests arrive in one TCP segment, llhttp_execute()
parses them all in a single call. If a synchronous 'close' event
handler invokes freeParser() mid-execution, cleanParser() nulls out
parser state while llhttp_execute() is still on the stack, crashing on
 the next callback.

Add an is_being_freed_ flag that freeParser() sets via
parser.markFreed() before cleaning state. Proxy::Raw checks the flag
before every callback and returns HPE_USER to abort execution early if
set.

@Flarna Flarna added the author ready

PRs that have at least one approval, no pending requests for changes, and a CI started.

label

Mar 4, 2026

mcollina

anonrig

@Flarna Flarna removed the commit-queue

Add this label to land a pull request using GitHub Actions.

label

Mar 5, 2026

@Flarna

@Flarna Flarna added the commit-queue-squash

Add this label to instruct the Commit Queue to squash all the PR commits into the first one.

label

Mar 5, 2026

addaleax

@Flarna Flarna added the commit-queue

Add this label to land a pull request using GitHub Actions.

label

Mar 6, 2026

@Flarna Flarna deleted the http_parser_use_after_free branch

March 6, 2026 06:39

aduh95 pushed a commit that referenced this pull request

Mar 10, 2026 
When pipelined requests arrive in one TCP segment, llhttp_execute()
parses them all in a single call. If a synchronous 'close' event
handler invokes freeParser() mid-execution, cleanParser() nulls out
parser state while llhttp_execute() is still on the stack, crashing on
 the next callback.

Add an is_being_freed_ flag that freeParser() sets via
parser.markFreed() before cleaning state. Proxy::Raw checks the flag
before every callback and returns HPE_USER to abort execution early if
set.

PR-URL: #62095
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>

tmeijn pushed a commit to tmeijn/dotfiles that referenced this pull request

Mar 12, 2026