CVE-2021-22884 is a vulnerability affecting multiple versions of Node.js prior to 10.24.0, 12.21.0, 14.16.0, and 15.10.0. The issue arises from Node.js relying on reverse DNS resolution for security-critical decisions, specifically in its DNS rebinding protection mechanism. The whitelist used to prevent DNS rebinding attacks includes the domain "localhost6". However, if "localhost6" is not defined in the system's /etc/hosts file, it is treated as a regular domain name resolved via DNS over the network. This creates an attack vector where an attacker who controls or can spoof the victim's DNS server responses can bypass the DNS rebinding protections by using the "localhost6" domain. Consequently, the attacker can perform DNS rebinding attacks similar to those described in CVE-2018-7160, which can lead to unauthorized access to internal services or sensitive information. The vulnerability stems from CWE-350, which concerns reliance on reverse DNS resolution for security decisions, a practice that is inherently insecure because DNS responses can be manipulated. No known exploits are currently reported in the wild, and no CVSS score has been assigned to this vulnerability. The affected Node.js versions span a wide range, including major LTS and current releases, indicating a broad potential impact across many Node.js deployments.

For European organizations, this vulnerability poses a significant risk, especially for those relying on Node.js for backend services, internal APIs, or microservices architectures. DNS rebinding attacks can allow attackers to bypass same-origin policies and access internal network resources that are otherwise protected, potentially leading to unauthorized data access, service disruption, or lateral movement within corporate networks. Organizations with DNS infrastructure that can be influenced or spoofed by attackers—such as those using compromised DNS resolvers or exposed to man-in-the-middle attacks—are particularly vulnerable. The impact is heightened in sectors with sensitive data or critical infrastructure, including finance, healthcare, and government services, which are prevalent in Europe. Additionally, the vulnerability could be exploited to target cloud-hosted Node.js applications if DNS controls are weak. Given the widespread use of Node.js in web applications and services, the scope of affected systems is broad, increasing the potential for significant confidentiality and integrity breaches. Availability impact is less direct but could occur if attackers leverage the vulnerability to disrupt services or cause application failures.

European organizations should take the following specific actions: 1) Immediately audit all Node.js environments to identify versions affected by this vulnerability and prioritize upgrading to patched versions (10.24.0, 12.21.0, 14.16.0, 15.10.0 or later). 2) Ensure that the /etc/hosts file on all relevant systems explicitly defines "localhost6" to prevent it from being resolved via external DNS, thereby mitigating the attack vector. 3) Harden DNS infrastructure by deploying DNSSEC where possible to prevent spoofing and ensure DNS response integrity. 4) Restrict DNS server access and monitor DNS traffic for anomalies indicative of spoofing or manipulation. 5) Implement network segmentation and strict firewall rules to limit access to internal services from untrusted networks, reducing the impact of successful DNS rebinding. 6) Conduct penetration testing focused on DNS rebinding scenarios to validate the effectiveness of mitigations. 7) Educate developers and system administrators about the risks of relying on DNS for security decisions and encourage secure coding practices that do not depend on reverse DNS resolution.