search

moleculerjs / moleculer-web

:earth_africa: Official API Gateway service for Moleculer framework
http://moleculer.services/docs/moleculer-web.html
MIT License
293 stars 119 forks source link

Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests (Critical) (CVE-2020-8251) #206

Closed intech closed 2 years ago

intech commented 4 years ago

Add default property value and add to settings requestTimeout for http.Server

References: Node.js blog Node.js Docs

icebob commented 3 years ago

There is a httpServerTimeout property in the service settings. Can it cover this issue?

https://github.com/moleculerjs/moleculer-web/blob/master/src/index.js#L283

intech commented 3 years ago

@icebob Unfortunately not, this is a separate variable that works in a separate place from the general request timeout. This commit for more info.