Christopher Davenport

**Name of the Vulnerable Software and Affected Versions** fs2-io versions 3.1.0 through 3.2.10 **Description** The issue arises when establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, where the parameter `requestCert = true` is ignored, and peer certificate verification is skipped, allowing the connection to proceed. This vulnerability is limited to `fs2-io` running on Node.js, specifically affecting server-mode `TLSSocket`s with mutual TLS (mTLS) enabled via `requestCert = true` in `TLSParameters`. The default setting for server-mode `TLSSocket`s is `false`. **Recommendations** For fs2-io versions 3.1.0 through 3.2.10, update to version 3.2.11 or later, where the `requestCert = true` parameter is respected, and peer certificate verification is properly performed, raising a `SSLException` if verification fails. As a temporary workaround for unpatched versions on Node.js, do not use a server-mode `TLSSocket` with `requestCert = true` to establish a mTLS connection.