CVE-2021-22883

HIGH

Node.js <10.24.0,12.21.0,14.16.0,15.10.0 - DoS

Title source: llm
STIX 2.1

Description

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.

References (10)

Core 10
Core References
Patch, Release Notes, Vendor Advisory x_refsource_misc
https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/
Permissions Required, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1043360
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuApr2021.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210416-0001/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com//security-alerts/cpujul2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch, Third Party Advisory x_refsource_confirm
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Scores

CVSS v3 7.5
EPSS 0.7739
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-772 CWE-400
Status published
Products (15)
fedoraproject/fedora 32
fedoraproject/fedora 33
fedoraproject/fedora 34
netapp/e-series_performance_analyzer
nodejs/node.js 10.0.0 - 10.24.0
nodejs/node.js 15.0.0 - 15.10.0
oracle/graalvm 19.3.5
oracle/graalvm 20.3.1.2
oracle/graalvm 21.0.0.2
oracle/jd_edwards_enterpriseone_tools < 9.2.6.0
... and 5 more
Published Mar 03, 2021
Tracked Since Feb 18, 2026