CVE-2021-44531

Name of the Vulnerable Software and Affected Versions Node.js versions prior to 12.22.9 Node.js versions prior to 14.18.3 Node.js versions prior to 16.13.2 Node.js versions prior to 17.3.1

Description The issue is related to the implementation of Subject Alternative Names in the Node.js platform, specifically with errors in the certificate authentication procedure. This can allow a remote attacker to conduct spoofing attacks by bypassing name-constrained intermediates. The problem arises from accepting arbitrary Subject Alternative Name types, including URI SAN types, which are not typically defined for use by Public Key Infrastructures. When protocols allow URI SANs, Node.js did not correctly match the URI, leading to potential security bypasses.

Recommendations For Node.js versions prior to 12.22.9, update to version 12.22.9 or later to disable the URI SAN type when checking a certificate against a hostname. For Node.js versions prior to 14.18.3, update to version 14.18.3 or later to disable the URI SAN type when checking a certificate against a hostname. For Node.js versions prior to 16.13.2, update to version 16.13.2 or later to disable the URI SAN type when checking a certificate against a hostname. For Node.js versions prior to 17.3.1, update to version 17.3.1 or later to disable the URI SAN type when checking a certificate against a hostname. As a temporary workaround, consider using the --security-revert command-line option to revert the behavior of disabling the URI SAN type, but be aware that this may reintroduce the security risk.