Node.js before versions 15.10.0, 14.16.0, 12.21.0 and 10.24.0 is vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
Node.js before versions 15.10.0, 14.16.0, 12.21.0 and 10.24.0 is vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/#http2-unknownprotocol-cause-denial-of-service-by-resource-exhaustion-critical-cve-2021-22883 https://hackerone.com/reports/1043360 https://github.com/nodejs-private/node-private/pull/246 https://github.com/nodejs/node/commit/4184806deed6b6c393dd8737aab1dc0c78a24c78 https://github.com/nodejs/node/commit/afea10b09785996348fc198c8aa97eb10a05cec9 https://github.com/nodejs/node/commit/922ada77132c1b0b69c9a146822d762b2f9b912b https://github.com/nodejs/node/commit/3f2e9dc40c9964965b075c00719829f9bb17e65f