QwikSec

Security Database

CVE

CWE

Training

CVE-2021-44531

Published: Feb 24, 2022

Modified: Apr 30, 2025

PUBLISHED

Description

Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.

Vendor	Product	Versions
NodeJS	Node	affected `4.0 - < 4.` affected `5.0 - < 5.` affected `6.0 - < 6.` affected `7.0 - < 7.` affected `8.0 - < 8.*` +9 more versions

Weaknesses (CWE)

References

https://hackerone.com/reports/1429694

x_refsource_MISC

https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/

x_refsource_MISC

https://www.oracle.com/security-alerts/cpuapr2022.html

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20220325-0007/

x_refsource_CONFIRM

vendor-advisory

x_refsource_DEBIAN

https://www.oracle.com/security-alerts/cpujul2022.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.