← back
CVE-2021-22883

CVE-2021-22883

EPSS 77.4%CWE-400
In short

Node.js can crash or become unresponsive when an attacker sends many connection attempts using an unknown protocol, causing the server to run out of file descriptors or memory. This prevents legitimate users from connecting and may affect the entire system.

Technical detail

A denial of service vulnerability in Node.js allows an unauthenticated attacker to exhaust file descriptor resources by establishing multiple connections with an 'unknownProtocol' value, resulting in descriptor leaks. When file descriptor limits are enforced, new connections are rejected and file operations fail; without limits, excessive memory consumption leads to system-wide resource exhaustion.

Summary generated and translated by AI from the official description.
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
Affected products
NodeJS · Node

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfhttps://hackerone.com/reports/1043360https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E4FRS5ZVK4ZQ7XIJQNGIKUXG2DJFHLO7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F45Y7TXSU33MTKB6AGL2Q5V5ZOCNPKOG/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HSYFUGKFUSZ27M5TEZ3FKILWTWFJTFAZ/https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/https://security.netapp.com/advisory/ntap-20210416-0001/https://www.oracle.com/security-alerts/cpuApr2021.htmlhttps://www.oracle.com//security-alerts/cpujul2021.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.html