According to Node.js the issues affect versions of Node.js from version 0.12.x up to version 5.x..
What is Node.JS?
Node.js is very popular among new startups and companies that chose to use a “FullStack” based web-environment. It allows companies to accelerate web applications development.
Node is becoming more popular in large-scale organisations, its usage increased by 240% in the last year, however, according to recent market surveys its distribution is still on the low side compared to other web-frameworks. It is currently in use by companies like PayPal, Linkedin, HP etc.
How likely are hackers to use this flaw?
We’ve witnessed attackers leveraging all kinds of DoS vulnerabilities to attack web-based infrastructures; attackers tend to adjust their methods to the attacked platform. We’re likely to start seeing DoS attack attempts right after a vulnerability is publicly disclosed. Due to the high popularity on Node.JS, it will probably be incorporated into DoS attack tools.
Aside from patching, what steps can organisations take to protect themselves?
It is always a good practice to have a WAF/L7 DDoS solution in place. Organisations must take measures to have an always-on solution and enjoy the benefits of virtual patching of their web-applications by their security providers.
How bad could an attack be against a company's infrastructure?
The vulnerability is an application level vulnerability, thus, infrastructures are not directly affected by it, however, attackers may use it to take-down servers with other services on them. Organisations with web-facing-applications that are heavily based on Node.JS would be vulnerable to this kind of attack. An attacker on a single machine would be able to completely take down those services.
Although there is no publicly disclosed information regarding the vulnerability, our past experience shows that a vulnerable web service could be used to corrupt the entire service or other relying services.