Skip to main content

CVE-2021-44531: Improper Certificate Validation (CWE-295) in NodeJS Node

High
VulnerabilityCVE-2021-44531cvecve-2021-44531cwe-295
Published: Thu Feb 24 2022 (02/24/2022, 18:27:00 UTC)
Source: CVE
Vendor/Project: NodeJS
Product: Node

Description

Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.

AI-Powered Analysis

AILast updated: 06/25/2025, 14:18:34 UTC

Technical Analysis

CVE-2021-44531 is a vulnerability in Node.js affecting versions prior to 12.22.9, 14.18.3, 16.13.2, and 17.3.1, related to improper certificate validation (CWE-295). Specifically, Node.js accepted arbitrary Subject Alternative Name (SAN) types in TLS certificates, including URI SAN types, even when the Public Key Infrastructure (PKI) was not explicitly defined to use them. This improper acceptance allows an attacker to bypass name-constrained intermediates, which are intended to restrict the scope of certificate authorities and prevent unauthorized certificate issuance. Additionally, when URI SANs were allowed, Node.js did not correctly match the URI against the hostname, further weakening validation. The vulnerability arises because Node.js did not disable URI SAN type checking by default, which is not standard practice in many PKIs. The fix implemented disables URI SAN type checking when verifying certificates against hostnames, restoring proper validation behavior. However, this fix can be reverted by using the --security-revert command-line option, potentially reintroducing the vulnerability. No known exploits in the wild have been reported to date. The vulnerability affects a broad range of Node.js versions from 4.0 through 17.0, impacting many applications and services relying on Node.js for secure communications and certificate validation.

Potential Impact

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of TLS-secured communications. Since Node.js is widely used in web servers, APIs, and microservices, improper certificate validation could allow attackers to perform man-in-the-middle (MITM) attacks by presenting malicious certificates with crafted URI SANs that bypass name constraints. This could lead to interception or manipulation of sensitive data, unauthorized access to internal services, or impersonation of trusted entities. The impact is especially critical for sectors relying heavily on Node.js for secure communications, such as financial services, healthcare, and government agencies. The vulnerability undermines trust in PKI enforcement, potentially allowing attackers to exploit certificate issuance weaknesses or compromised intermediates. Although no active exploits are known, the broad usage of affected Node.js versions and the ease of exploiting certificate validation flaws mean that organizations could face targeted attacks if adversaries develop exploits. The availability impact is less direct but could arise if attackers disrupt services by injecting invalid certificates or causing failures in TLS handshakes.

Mitigation Recommendations

European organizations should immediately verify the Node.js versions deployed in their environments and upgrade to versions 12.22.9, 14.18.3, 16.13.2, 17.3.1 or later, where the vulnerability is fixed. Avoid using the --security-revert option, which disables the fix and reintroduces the vulnerability. Conduct thorough audits of TLS certificate validation logic in custom Node.js applications, ensuring that URI SAN types are not accepted unless explicitly required and properly validated. Implement strict certificate pinning or use additional validation layers where feasible to reduce reliance on default Node.js validation. Monitor network traffic for unusual TLS handshake patterns that could indicate exploitation attempts. Coordinate with certificate authorities to ensure that PKI policies do not issue certificates with inappropriate URI SANs. For critical services, consider deploying Web Application Firewalls (WAFs) or TLS interception proxies that can enforce stricter certificate validation policies. Finally, maintain an inventory of Node.js dependencies and update them regularly to incorporate security patches promptly.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
hackerone
Date Reserved
2021-12-02T00:00:00
Cisa Enriched
false
Cvss Version
null
State
PUBLISHED

Threat ID: 682d983ac4522896dcbed497

Added to database: 5/21/2025, 9:09:14 AM

Last enriched: 6/25/2025, 2:18:34 PM

Last updated: 7/6/2025, 6:11:12 AM

Views: 5

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats