CVE-2021-22883: Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol'…

high7.5CVSS 3.1

AVNACLPRNUINSUCNINAH

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.

Affected

35 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	nodejs	< nodejs 12.21.0~dfsg-1 (bookworm)	nodejs 12.21.0~dfsg-1 (bookworm)
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
nodejs	node	>= 10.0 < 10.24.0	10.24.0
nodejs	node	>= 11.0 < 11.*	11.*
nodejs	node	>= 12.0 < 12.21.0	12.21.0
nodejs	node	>= 13.0 < 13.*	13.*
nodejs	node	>= 14.0 < 14.16.0	14.16.0
nodejs	node	>= 15.0 < 15.10.0	15.10.0
nodejs	node	>= 4.0 < 4.*	4.*
nodejs	node	>= 5.0 < 5.*	5.*
nodejs	node	>= 6.0 < 6.*	6.*
nodejs	node	>= 7.0 < 7.*	7.*
nodejs	node	>= 8.0 < 8.*	8.*
nodejs	node	>= 9.0 < 9.*	9.*
nodejs	node.js	>= 10.0.0 < 10.24.0	10.24.0
nodejs	node.js	>= 12.0.0 < 12.21.0	12.21.0
nodejs	node.js	>= 14.0.0 < 14.16.0	14.16.0
nodejs	node.js	>= 15.0.0 < 15.10.0	15.10.0
nodejs	nodejs	>= 0 < 12.21.0~dfsg-1	12.21.0~dfsg-1
nodejs	nodejs	>= 0 < 12.21.0~dfsg-1	12.21.0~dfsg-1
nodejs	nodejs	>= 0 < 12.21.0~dfsg-1	12.21.0~dfsg-1
nodejs	nodejs	>= 0 < 12.21.0~dfsg-1	12.21.0~dfsg-1
nodejs	nodejs	>= 0 < 10.19.0~dfsg-3ubuntu1.2	10.19.0~dfsg-3ubuntu1.2

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

osv7.5HIGH