Thanks for your report. Can give us some instructions for starting the server? We have no experience with Node.js. Or just describe how the DoS attack works.
With the use of a malicious server, it is possible to cause a stack exhaustion.
Run a local or remote server using the custom server provided in the attachment. To run the server it is needed Node.js. After starting the server, connect to it using the following settings:
Port number: 22
The server does not have a password
WinSCP version: 5.19
OS version: Windows 10 Education x64