CVE-2021-44532 is a vulnerability in Node.js affecting versions prior to 12.22.9, 14.18.3, 16.13.2, and 17.3.1. The issue arises from how Node.js processes Subject Alternative Names (SANs) in X.509 certificates during TLS/SSL peer certificate validation. Specifically, Node.js converts SANs to a string format and uses this string to verify that the peer certificate matches the expected hostname. However, when name constraints are applied within a certificate chain, the conversion and validation process is vulnerable to injection attacks. This improper handling allows an attacker to bypass the intended name constraints by injecting specially crafted characters into the SAN string, effectively circumventing hostname verification. This flaw is categorized under CWE-296, which relates to improper following of a certificate's chain of trust. The vulnerability undermines the integrity of TLS connections by allowing malicious certificates to be accepted as valid for hostnames they should not be authorized for. Node.js addressed this issue by escaping problematic characters in SANs to prevent injection. Users can revert to the vulnerable behavior using the --security-revert command-line option, which is discouraged. No known exploits have been reported in the wild to date. The vulnerability impacts a broad range of Node.js versions, including many long-term support (LTS) releases, making it relevant for numerous applications relying on Node.js for secure communications.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of TLS-secured communications. Applications using vulnerable Node.js versions for HTTPS, secure APIs, or other TLS-based protocols may incorrectly validate peer certificates, potentially allowing attackers to impersonate legitimate services or intercept sensitive data. This could lead to man-in-the-middle (MITM) attacks, data leakage, or unauthorized access to internal systems. The impact is particularly critical for sectors relying heavily on secure communications, such as finance, healthcare, and government services. Since Node.js is widely used in web services and cloud-native applications, the scope of affected systems is extensive. The vulnerability does not directly affect availability but compromises trust in secure connections, which can indirectly disrupt business operations if exploited. The lack of required authentication or user interaction for exploitation increases the risk, especially in automated or backend systems where certificate validation is critical. Although no active exploits are known, the potential for abuse remains high given the broad usage of Node.js and the fundamental nature of the flaw in certificate validation.

European organizations should prioritize upgrading Node.js to versions 12.22.9, 14.18.3, 16.13.2, 17.3.1 or later where the vulnerability is fixed. Avoid using the --security-revert option, as it re-enables the vulnerable behavior. For environments where immediate upgrade is not feasible, implement additional certificate validation layers at the application level, such as manually verifying certificate chains and name constraints using trusted libraries. Employ strict TLS configurations and certificate pinning where possible to reduce reliance on Node.js's built-in validation. Conduct thorough audits of all Node.js-based services to identify vulnerable versions and assess exposure. Integrate monitoring for unusual TLS handshake failures or suspicious certificate chains that may indicate attempted exploitation. Educate development and security teams about the risks of improper certificate validation and encourage secure coding practices around TLS usage. Finally, maintain up-to-date inventories of Node.js deployments across the organization to ensure timely patch management.