The Node developers have pushed out Node 0.10.21 and saying it “contains a security fix for the http server implementation” but gave no further details in the announcement, only asking people to upgrade as soon as possible.
Elsewhere though, the problem was identified as a trivial-to-trigger denial of service vulnerability. It was explained by “meritt” in a Hacker News posting that a memory leak in the HTTP Pipelining code could make systems run out of memory if flooded with requests which were never read. The Node code was also updated with a test that exercised the flaw while others have posted shorter exploits of the problem. Despite some reports saying the problem only affecting 0.10 and later, there has also been an updated Node 0.8 release, in the form of Node 0.8.26, which comes with the same security fix note and has the same fix and test added.
The take-away is, if you run Node as a HTTP server, update now to avoid denials of service.
This article was imported from the original CodeScaling blog