CVE-2022-31183

Name of the Vulnerable Software and Affected Versions fs2-io versions 3.1.0 through 3.2.10

Description The issue arises when establishing a server-mode TLSSocket using fs2-io on Node.js, where the parameter requestCert = true is ignored, and peer certificate verification is skipped, allowing the connection to proceed. This vulnerability is limited to fs2-io running on Node.js, specifically affecting server-mode TLSSockets with mutual TLS (mTLS) enabled via requestCert = true in TLSParameters. The default setting for server-mode TLSSockets is false.

Recommendations For fs2-io versions 3.1.0 through 3.2.10, update to version 3.2.11 or later, where the requestCert = true parameter is respected, and peer certificate verification is properly performed, raising a SSLException if verification fails. As a temporary workaround for unpatched versions on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection.