diff --git a/CVE-2021-22883.patch b/CVE-2021-22883.patch
new file mode 100644
index 0000000000000000000000000000000000000000..4e50657705fc1972cdfa3fe27089c141ba950600
--- /dev/null
+++ b/CVE-2021-22883.patch
@@ -0,0 +1,219 @@
+From 922ada77132c1b0b69c9a146822d762b2f9b912b Mon Sep 17 00:00:00 2001
+From: Daniel Bevenius <daniel.bevenius@gmail.com>
+Date: Fri, 22 Jan 2021 12:34:21 +0100
+Subject: [PATCH] http2: add unknownProtocol timeout
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This commit add a configuration options named unknownProtocolTimeout
+which can be specified to set a value for the timeout in milliseconds
+that a server should wait when an unknowProtocol is sent to it. When
+this happens a timer will be started and the if the socket has not been
+destroyed during that time the timer callback will destoy it.
+
+Refs: https://hackerone.com/reports/1043360
+CVE-ID: CVE-2021-22883
+PR-URL: https://github.com/nodejs/node/pull/246
+Backport-PR-URL: https://github.com/nodejs/node/pull/250
+Reviewed-By: Beth Griggs <bgriggs@redhat.com>
+Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
+Reviewed-By: Michael Dawson <midawson@redhat.com>
+Reviewed-By: Rich Trott <rtrott@gmail.com>
+Reviewed-By: Tobias Nießen <tniessen@tnie.de>
+Reference: https://github.com/nodejs/node/commit/922ada77132c1b0b69c9a146822d762b2f9b912b
+---
+ doc/api/http2.md                              | 25 +++++++++++++-
+ lib/internal/http2/core.js                    | 31 ++++++++++++++---
+ .../test-http2-server-unknown-protocol.js     | 33 +++++++++++++++++++
+ 3 files changed, 84 insertions(+), 5 deletions(-)
+ create mode 100644 test/parallel/test-http2-server-unknown-protocol.js
+
+diff --git a/doc/api/http2.md b/doc/api/http2.md
+index 40a107f..d57a560 100644
+--- a/doc/api/http2.md
++++ b/doc/api/http2.md
+@@ -1908,7 +1908,9 @@ added: v8.4.0
+ The `'unknownProtocol'` event is emitted when a connecting client fails to
+ negotiate an allowed protocol (i.e. HTTP/2 or HTTP/1.1). The event handler
+ receives the socket for handling. If no listener is registered for this event,
+-the connection is terminated. See the [Compatibility API][].
++the connection is terminated. A timeout may be specified using the
++`'unknownProtocolTimeout'` option passed to [`http2.createSecureServer()`][].
++See the [Compatibility API][].
+ 
+ #### `server.close([callback])`
+ <!-- YAML
+@@ -1948,6 +1950,9 @@ error will be thrown.
+ <!-- YAML
+ added: v8.4.0
+ changes:
++  - version: REPLACEME
++    pr-url: https://github.com/nodejs-private/node-private/pull/250
++    description: Added `unknownProtocolTimeout` option with a default of 10000.
+   - version:
+      - v12.18.0
+     pr-url: https://github.com/nodejs-private/node-private/pull/206
+@@ -2050,6 +2055,10 @@ changes:
+     `Http2ServerResponse` class to use.
+     Useful for extending the original `Http2ServerResponse`.
+     **Default:** `Http2ServerResponse`.
++  * `unknownProtocolTimeout` {number} Specifies a timeout in milliseconds that
++    a server should wait when an [`'unknownProtocol'`][] is emitted. If the
++    socket has not been destroyed by that time the server will destroy it.
++    **Default:** `10000`.
+   * ...: Any [`net.createServer()`][] option can be provided.
+ * `onRequestHandler` {Function} See [Compatibility API][]
+ * Returns: {Http2Server}
+@@ -2086,6 +2095,9 @@ server.listen(80);
+ <!-- YAML
+ added: v8.4.0
+ changes:
++  - version: REPLACEME
++    pr-url: https://github.com/nodejs-private/node-private/pull/250
++    description: Added `unknownProtocolTimeout` option with a default of 10000.
+   - version:
+      - v12.18.0
+     pr-url: https://github.com/nodejs-private/node-private/pull/206
+@@ -2178,6 +2190,10 @@ changes:
+     servers, the identity options (`pfx` or `key`/`cert`) are usually required.
+   * `origins` {string[]} An array of origin strings to send within an `ORIGIN`
+     frame immediately following creation of a new server `Http2Session`.
++  * `unknownProtocolTimeout` {number} Specifies a timeout in milliseconds that
++    a server should wait when an [`'unknownProtocol'`][] event is emitted. If
++    the socket has not been destroyed by that time the server will destroy it.
++    **Default:** `10000`.
+ * `onRequestHandler` {Function} See [Compatibility API][]
+ * Returns: {Http2SecureServer}
+ 
+@@ -2211,6 +2227,9 @@ server.listen(80);
+ <!-- YAML
+ added: v8.4.0
+ changes:
++  - version: REPLACEME
++    pr-url: https://github.com/nodejs-private/node-private/pull/250
++    description: Added `unknownProtocolTimeout` option with a default of 10000.
+   - version:
+      - v12.18.0
+     pr-url: https://github.com/nodejs-private/node-private/pull/206
+@@ -2294,6 +2313,10 @@ changes:
+     instance passed to `connect` and the `options` object, and returns any
+     [`Duplex`][] stream that is to be used as the connection for this session.
+   * ...: Any [`net.connect()`][] or [`tls.connect()`][] options can be provided.
++  * `unknownProtocolTimeout` {number} Specifies a timeout in milliseconds that
++    a server should wait when an [`'unknownProtocol'`][] event is emitted. If
++    the socket has not been destroyed by that time the server will destroy it.
++    **Default:** `10000`.
+ * `listener` {Function} Will be registered as a one-time listener of the
+   [`'connect'`][] event.
+ * Returns: {ClientHttp2Session}
+diff --git a/lib/internal/http2/core.js b/lib/internal/http2/core.js
+index 2116bc8..e9a63fe 100644
+--- a/lib/internal/http2/core.js
++++ b/lib/internal/http2/core.js
+@@ -33,7 +33,7 @@ const net = require('net');
+ const { Duplex } = require('stream');
+ const tls = require('tls');
+ const { URL } = require('url');
+-const { setImmediate } = require('timers');
++const { setImmediate, setTimeout, clearTimeout } = require('timers');
+ 
+ const { kIncomingMessage } = require('_http_common');
+ const { kServerResponse } = require('_http_server');
+@@ -2721,14 +2721,14 @@ function handleHeaderContinue(headers) {
+     this.emit('continue');
+ }
+ 
+-const setTimeout = {
++const setTimeoutValue = {
+   configurable: true,
+   enumerable: true,
+   writable: true,
+   value: setStreamTimeout
+ };
+-ObjectDefineProperty(Http2Stream.prototype, 'setTimeout', setTimeout);
+-ObjectDefineProperty(Http2Session.prototype, 'setTimeout', setTimeout);
++ObjectDefineProperty(Http2Stream.prototype, 'setTimeout', setTimeoutValue);
++ObjectDefineProperty(Http2Session.prototype, 'setTimeout', setTimeoutValue);
+ 
+ 
+ // When the socket emits an error, destroy the associated Http2Session and
+@@ -2788,6 +2788,22 @@ function connectionListener(socket) {
+     debug('Unknown protocol from %s:%s',
+           socket.remoteAddress, socket.remotePort);
+     if (!this.emit('unknownProtocol', socket)) {
++      debug('Unknown protocol timeout:  %s', options.unknownProtocolTimeout);
++      // Install a timeout if the socket was not successfully closed, then
++      // destroy the socket to ensure that the underlying resources are
++      // released.
++      const timer = setTimeout(() => {
++        if (!socket.destroyed) {
++          debug('UnknownProtocol socket timeout, destroy socket');
++          socket.destroy();
++        }
++      }, options.unknownProtocolTimeout);
++      // Un-reference the timer to avoid blocking of application shutdown and
++      // clear the timeout if the socket was successfully closed.
++      timer.unref();
++
++      socket.once('close', () => clearTimeout(timer));
++
+       // We don't know what to do, so let's just tell the other side what's
+       // going on in a format that they *might* understand.
+       socket.end('HTTP/1.0 403 Forbidden\r\n' +
+@@ -2836,6 +2852,13 @@ function initializeOptions(options) {
+     );
+   }
+ 
++  if (options.unknownProtocolTimeout !== undefined)
++    validateUint32(options.unknownProtocolTimeout, 'unknownProtocolTimeout');
++  else
++    // TODO(danbev): is this a good default value?
++    options.unknownProtocolTimeout = 10000;
++
++
+   // Used only with allowHTTP1
+   options.Http1IncomingMessage = options.Http1IncomingMessage ||
+     http.IncomingMessage;
+diff --git a/test/parallel/test-http2-server-unknown-protocol.js b/test/parallel/test-http2-server-unknown-protocol.js
+new file mode 100644
+index 0000000..639bbe4
+--- /dev/null
++++ b/test/parallel/test-http2-server-unknown-protocol.js
+@@ -0,0 +1,33 @@
++'use strict';
++const common = require('../common');
++const fixtures = require('../common/fixtures');
++
++// This test verifies that when a server receives an unknownProtocol it will
++// not leave the socket open if the client does not close it.
++
++if (!common.hasCrypto)
++  common.skip('missing crypto');
++
++const h2 = require('http2');
++const tls = require('tls');
++
++const server = h2.createSecureServer({
++  key: fixtures.readKey('rsa_private.pem'),
++  cert: fixtures.readKey('rsa_cert.crt'),
++  unknownProtocolTimeout: 500,
++  allowHalfOpen: true
++});
++
++server.on('connection', (socket) => {
++  socket.on('close', common.mustCall(() => {
++    server.close();
++  }));
++});
++
++server.listen(0, function() {
++  tls.connect({
++    port: server.address().port,
++    rejectUnauthorized: false,
++    ALPNProtocols: ['bogus']
++  });
++});
+-- 
+2.23.0
+
diff --git a/CVE-2021-22884.patch b/CVE-2021-22884.patch
new file mode 100644
index 0000000000000000000000000000000000000000..c95ce906cb2d91f66789e1b42e1c27ec55b65d4c
--- /dev/null
+++ b/CVE-2021-22884.patch
@@ -0,0 +1,39 @@
+From 1564752d553f582c8048ee45614f870ee2a446c9 Mon Sep 17 00:00:00 2001
+From: Matteo Collina <hello@matteocollina.com>
+Date: Thu, 14 Jan 2021 16:04:44 +0100
+Subject: [PATCH] src: drop localhost6 as allowed host for inspector
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-ID: CVE-2021-22884
+Refs: https://hackerone.com/bugs?report_id=1069487
+PR-URL: https://github.com/nodejs/node/pull/244
+Reviewed-By: Beth Griggs <bgriggs@redhat.com>
+Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
+Reviewed-By: Mary Marchini <oss@mmarchini.me>
+Reviewed-By: Michael Dawson <midawson@redhat.com>
+Reviewed-By: Michaël Zasso <targos@protonmail.com>
+Reviewed-By: Rich Trott <rtrott@gmail.com>
+Reference: https://github.com/nodejs/node/commit/1564752d553f582c8048ee45614f870ee2a446c9
+---
+ src/inspector_socket.cc | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/inspector_socket.cc b/src/inspector_socket.cc
+index a701928..25f3787 100644
+--- a/src/inspector_socket.cc
++++ b/src/inspector_socket.cc
+@@ -584,8 +584,7 @@ class HttpHandler : public ProtocolHandler {
+   bool IsAllowedHost(const std::string& host_with_port) const {
+     std::string host = TrimPort(host_with_port);
+     return host.empty() || IsIPAddress(host)
+-           || node::StringEqualNoCase(host.data(), "localhost")
+-           || node::StringEqualNoCase(host.data(), "localhost6");
++           || node::StringEqualNoCase(host.data(), "localhost");
+   }
+ 
+   bool parsing_value_;
+-- 
+2.23.0
+
diff --git a/nodejs.spec b/nodejs.spec
index 2f2105272a6414a4cfeff3398c022e29c4ac6732..882bdd747ab45ade7ab46355a602bd0442aad3e5 100644
--- a/nodejs.spec
+++ b/nodejs.spec
@@ -1,5 +1,5 @@
 %bcond_with bootstrap
-%global baserelease 2
+%global baserelease 3
 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
 %global nodejs_epoch 1
 %global nodejs_major 12
@@ -85,6 +85,9 @@ Patch0002: 0002-Install-both-binaries-and-use-libdir.patch
 Patch0003: 0003-Modify-openEuler-aarch64-v8_os_page_size-to-64.patch
 %endif
 Patch0004: 0004-Make-AARCH64-compile-on-64KB-physical-pages.patch
+Patch0005: CVE-2021-22883.patch
+Patch0006: CVE-2021-22884.patch
+
 BuildRequires: python3-devel
 BuildRequires: zlib-devel
 BuildRequires: brotli-devel
@@ -486,6 +489,9 @@ end
 %{_pkgdocdir}/npm/docs
 
 %changelog
+* Mon Mar 15 2021 xinghe <xinghe1@huawei.com> - 1:12.18.4-3
+- fix CVE-2021-22883 CVE-2021-22884
+
 * Mon Jan 04 2020 huanghaitao <huanghaitao8@huawei.com> - 1:12.18.4-2
 - Make AARCH64 compile on 64KB physical pages to fix build error