CVE-2021-22939

Published: Aug 16, 2021

Modified: Apr 30, 2025

PUBLISHED

Description

If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.

Vendor	Product	Versions
NodeJS	Node	affected `4.0 - < 4.` affected `5.0 - < 5.` affected `6.0 - < 6.` affected `7.0 - < 7.` affected `8.0 - < 8.*` +8 more versions

Weaknesses (CWE)

CWE-295

References

https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/

https://hackerone.com/reports/1278254

https://www.oracle.com/security-alerts/cpuoct2021.html

https://security.netapp.com/advisory/ntap-20210917-0003/

https://www.oracle.com/security-alerts/cpujan2022.html

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

https://www.oracle.com/security-alerts/cpujul2022.html

[debian-lts-announce] 20221005 [SECURITY] [DLA 3137-1] nodejs security update

mailing-list

GLSA-202401-02

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-22939

Description

Affected Products

Weaknesses (CWE)

References