CVE-2021-44532

Name of the Vulnerable Software and Affected Versions Node.js versions < 12.22.9 Node.js versions < 14.18.3 Node.js versions < 16.13.2 Node.js versions < 17.3.1

Description The issue is related to the conversion of SANs (Subject Alternative Names) to a string format in Node.js, which is used to check peer certificates against hostnames when validating connections. This string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints. The vulnerability can be exploited by a remote attacker to conduct spoofing attacks.

Recommendations For Node.js versions < 12.22.9, update to version 12.22.9 or later to fix the issue. For Node.js versions < 14.18.3, update to version 14.18.3 or later to fix the issue. For Node.js versions < 16.13.2, update to version 16.13.2 or later to fix the issue. For Node.js versions < 17.3.1, update to version 17.3.1 or later to fix the issue. As a temporary workaround, consider using the --security-revert command-line option to revert the behavior of escaping SANs containing problematic characters, but note that this reverts the security fix.