CVE-2021-44532

Published: 2/24/2022 Last updated: 4/30/2025 Reserved: 12/2/2021

Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.

CNA assigner: hackerone (36234546-b8fa-4601-9d6f-f4e334aa8ea1) Requested by: n/a

Opam packages affected (1)

conf-npm

Products affected (1)

Product	Vendor	Version
Node	NodeJS	10 Version 1809 for 32-bit Systems

References (12)

https://www.oracle.com/security-alerts/cpujul2022.html
https://hackerone.com/reports/1429694
https://hackerone.com/reports/1429694
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
https://www.oracle.com/security-alerts/cpuapr2022.html
https://security.netapp.com/advisory/ntap-20220325-0007/
https://www.debian.org/security/2022/dsa-5170
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
https://www.oracle.com/security-alerts/cpuapr2022.html
https://security.netapp.com/advisory/ntap-20220325-0007/
https://www.debian.org/security/2022/dsa-5170
https://www.oracle.com/security-alerts/cpujul2022.html