CVE-2021-44532
CVE-2021-44532
In short
Node.js had a security flaw where special characters in certificate names could be used to bypass security checks that limit which websites a certificate can be used for. This could allow attackers to use a certificate in ways it wasn't supposed to be used.
Technical detail
Node.js versions before 12.22.9, 14.18.3, 16.13.2, and 17.3.1 failed to properly escape Subject Alternative Names (SANs) when converting them to strings for hostname validation, enabling injection attacks that bypass name constraints in certificate chains. The vulnerability affects TLS/SSL peer certificate verification and was patched by escaping problematic characters in SANs.
Summary generated and translated by AI from the official description.
Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.
Affected products
NodeJS · NodeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://hackerone.com/reports/1429694https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/https://security.netapp.com/advisory/ntap-20220325-0007/https://www.debian.org/security/2022/dsa-5170https://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.html