CVE-2021-44531 is a vulnerability in Node.js affecting versions prior to 12.22.9, 14.18.3, 16.13.2, and 17.3.1, related to improper certificate validation (CWE-295). Specifically, Node.js accepted arbitrary Subject Alternative Name (SAN) types in TLS certificates, including URI SAN types, even when the Public Key Infrastructure (PKI) was not explicitly defined to use them. This improper acceptance allows an attacker to bypass name-constrained intermediates, which are intended to restrict the scope of certificate authorities and prevent unauthorized certificate issuance. Additionally, when URI SANs were allowed, Node.js did not correctly match the URI against the hostname, further weakening validation. The vulnerability arises because Node.js did not disable URI SAN type checking by default, which is not standard practice in many PKIs. The fix implemented disables URI SAN type checking when verifying certificates against hostnames, restoring proper validation behavior. However, this fix can be reverted by using the --security-revert command-line option, potentially reintroducing the vulnerability. No known exploits in the wild have been reported to date. The vulnerability affects a broad range of Node.js versions from 4.0 through 17.0, impacting many applications and services relying on Node.js for secure communications and certificate validation.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of TLS-secured communications. Since Node.js is widely used in web servers, APIs, and microservices, improper certificate validation could allow attackers to perform man-in-the-middle (MITM) attacks by presenting malicious certificates with crafted URI SANs that bypass name constraints. This could lead to interception or manipulation of sensitive data, unauthorized access to internal services, or impersonation of trusted entities. The impact is especially critical for sectors relying heavily on Node.js for secure communications, such as financial services, healthcare, and government agencies. The vulnerability undermines trust in PKI enforcement, potentially allowing attackers to exploit certificate issuance weaknesses or compromised intermediates. Although no active exploits are known, the broad usage of affected Node.js versions and the ease of exploiting certificate validation flaws mean that organizations could face targeted attacks if adversaries develop exploits. The availability impact is less direct but could arise if attackers disrupt services by injecting invalid certificates or causing failures in TLS handshakes.

European organizations should immediately verify the Node.js versions deployed in their environments and upgrade to versions 12.22.9, 14.18.3, 16.13.2, 17.3.1 or later, where the vulnerability is fixed. Avoid using the --security-revert option, which disables the fix and reintroduces the vulnerability. Conduct thorough audits of TLS certificate validation logic in custom Node.js applications, ensuring that URI SAN types are not accepted unless explicitly required and properly validated. Implement strict certificate pinning or use additional validation layers where feasible to reduce reliance on default Node.js validation. Monitor network traffic for unusual TLS handshake patterns that could indicate exploitation attempts. Coordinate with certificate authorities to ensure that PKI policies do not issue certificates with inappropriate URI SANs. For critical services, consider deploying Web Application Firewalls (WAFs) or TLS interception proxies that can enforce stricter certificate validation policies. Finally, maintain an inventory of Node.js dependencies and update them regularly to incorporate security patches promptly.