Certain requests like GET /.x cause an infinite loop in pmm-managed's AuthServer.authenticate method and nextPrefix function. Effectively, that's a DoS vector that can be exploited by anyone who knows the PMM Server address. Credentials knowledge is not required.
That's an unintended side effect of the AWS setup wizard introduced in 2.2.0. No other versions are affected.