Node.js 14.x versions prior to 14.11 are vulnerable to a denial of service condition based on delayed requests. When used as an edge server, an attacker can initiate but not complete a large number of HTTP requests causing resource exhaustion and rendering the server unable to accept new connections. In 14.11 a new option "http.Server.requestTimeout" is introduced to mitigate this vulnerability. Upstream advisory: https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/
Created nodejs tracking bugs for this issue: Affects: epel-all [bug 1879332] Affects: fedora-all [bug 1879333] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1879334]
Upstream fix: https://github.com/nodejs/node/commit/753f3b247ae2d24fee0b3f48b9ec3a5c308f0650
Statement: NodeJS is included in Red Hat Quay as a dependency of Yarn which is only used while building Red Hat Quay, and not during runtime.