CVE-2021-44532

Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.

References

Affected packages

Git / github.com/nodejs/node

Affected ranges

Type: GIT
Repo: https://github.com/nodejs/node
Events: Fixed

4e44cbfba6bbb87aa15564ea6856a556804f71c0

Introduced

73aa21658dfa6a22c06451d080152b32b1f98dbe

Fixed

92df3d654b366aa115fb672756cb051d480d8acc

Introduced

7162e686b18d22b4385fa5c04274fb04dbd810c7

Fixed

acb71eab779fb56bf70e8a9e0cb2e82a089a87de

Introduced

f99ce7c1b88ff445f60e9e5575b674cb509e47f3

Fixed

e4f326669a3f98a8804dde23eee6d8403f0a99f1

Affected versions

v14.*

v14.0.0

v14.1.0

v14.10.0

v14.10.1

v14.11.0

v14.12.0

v14.13.0

v14.13.1

v14.14.0

v14.15.0

v14.15.1

v14.15.2

v14.15.3

v14.15.4

v14.15.5

v14.16.0

v14.16.1

v14.17.0

v14.17.1

v14.17.2

v14.17.3

v14.17.4

v14.17.5

v14.17.6

v14.18.0

v14.18.1

v14.18.2

v14.2.0

v14.3.0

v14.4.0

v14.5.0

v14.6.0

v14.7.0

v14.8.0

v14.9.0

v16.*

v16.0.0

v16.1.0

v16.10.0

v16.11.0

v16.11.1

v16.12.0

v16.13.0

v16.13.1

v16.2.0

v16.3.0

v16.4.0

v16.4.1

v16.4.2

v16.5.0

v16.6.0

v16.6.1

v16.6.2

v16.7.0

v16.8.0

v16.9.0

v16.9.1

v17.*

v17.0.0

v17.0.1

v17.1.0

v17.2.0

v17.3.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-44532.json"