CVE-2021-22939
CVE-2021-22939
In short
Node.js failed to validate an incorrectly configured HTTPS setting, allowing connections to servers with expired SSL certificates when the rejectUnauthorized parameter was set to undefined. This creates a security risk because expired certificates should be rejected to prevent man-in-the-middle attacks.
Technical detail
When the rejectUnauthorized parameter in the Node.js https API was set to undefined instead of an explicit boolean value, certificate validation was silently disabled. An attacker controlling a server with an expired certificate could intercept HTTPS connections if the application relied on this misconfiguration, as the validation error was not raised and the connection was accepted.
Summary generated and translated by AI from the official description.
If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
Affected products
NodeJS · NodeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfhttps://hackerone.com/reports/1278254https://lists.debian.org/debian-lts-announce/2022/10/msg00006.htmlhttps://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/https://security.gentoo.org/glsa/202401-02https://security.netapp.com/advisory/ntap-20210917-0003/https://www.oracle.com/security-alerts/cpujan2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.html