CVE-2022-31183: CWE-295: Improper Certificate Validation in typelevel fs2
fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent. 2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API. 3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s. It was introduced with the initial Node.js implementation of fs2-io in 3.1.0. A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised. If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection.
AI Analysis
Technical Summary
CVE-2022-31183 is a medium-severity vulnerability affecting the fs2 library, specifically the fs2-io module when running on Node.js environments. Fs2 is a Scala-based compositional streaming I/O library widely used for asynchronous and functional programming paradigms. The vulnerability arises in the implementation of server-mode TLSSocket connections when mutual TLS (mTLS) is enabled via the parameter requestCert=true in TLSParameters. Due to improper certificate validation (classified under CWE-295), the fs2-io module on Node.js ignores the requestCert=true setting, effectively bypassing peer certificate verification. This means that even when mTLS is intended to be enforced, the server does not validate the client's certificate, allowing potentially unauthorized or malicious clients to establish connections without proper authentication. The vulnerability is limited to fs2-io running on Node.js and does not affect the JVM TLS implementation of fs2, which uses a separate API. Client-mode TLSSockets are also unaffected as they use a different implementation. The issue was introduced in fs2-io version 3.1.0 and patched in version 3.2.11, where the requestCert parameter is properly respected and failed certificate verification results in an SSLException. No known exploits have been reported in the wild. The vulnerability primarily impacts applications relying on fs2-io on Node.js for secure server-side streaming communications that require mTLS for client authentication. Without proper certificate validation, the confidentiality and integrity of the connection can be compromised, and unauthorized access may be possible.
Potential Impact
For European organizations, this vulnerability poses a significant risk to any services or applications that use the fs2 library on Node.js to implement server-side streaming with mTLS authentication. The failure to validate client certificates undermines the security guarantees of mTLS, potentially allowing unauthorized clients to connect and interact with sensitive systems. This could lead to unauthorized data access, data leakage, or unauthorized command execution depending on the application context. Organizations in sectors such as finance, healthcare, telecommunications, and critical infrastructure—where secure client authentication is paramount—may be particularly impacted. The vulnerability could also facilitate lateral movement within networks if attackers exploit the trust model breakdown. Given the increasing adoption of Scala and Node.js in modern European software stacks, especially in fintech and cloud-native applications, the risk is non-trivial. However, the scope is somewhat limited by the requirement that the application uses fs2-io on Node.js with mTLS enabled via requestCert=true, which is not the default configuration. Nevertheless, failure to patch or mitigate could expose sensitive services to impersonation or man-in-the-middle style attacks.
Mitigation Recommendations
1. Immediate upgrade to fs2-io version 3.2.11 or later is the most effective mitigation, as this version correctly enforces peer certificate validation when requestCert=true is set. 2. If upgrading is not immediately feasible, avoid using server-mode TLSSocket with requestCert=true on Node.js to establish mTLS connections. Instead, disable mTLS or use alternative secure authentication mechanisms until patched. 3. Conduct an audit of all applications and services using fs2-io on Node.js to identify those that enable mTLS with requestCert=true and prioritize patching or configuration changes. 4. Implement additional network-level controls such as mutual TLS termination at a reverse proxy or load balancer that correctly validates client certificates, thereby offloading trust verification from the vulnerable application layer. 5. Monitor network traffic and logs for unusual or unauthorized TLS connection attempts that could indicate exploitation attempts. 6. Educate development teams about the importance of proper certificate validation and the risks of bypassing mTLS mechanisms. 7. Incorporate automated dependency scanning and vulnerability management tools to detect usage of vulnerable fs2-io versions in CI/CD pipelines.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Ireland, Belgium, Switzerland
CVE-2022-31183: CWE-295: Improper Certificate Validation in typelevel fs2
Description
fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent. 2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API. 3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s. It was introduced with the initial Node.js implementation of fs2-io in 3.1.0. A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised. If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection.
AI-Powered Analysis
Technical Analysis
CVE-2022-31183 is a medium-severity vulnerability affecting the fs2 library, specifically the fs2-io module when running on Node.js environments. Fs2 is a Scala-based compositional streaming I/O library widely used for asynchronous and functional programming paradigms. The vulnerability arises in the implementation of server-mode TLSSocket connections when mutual TLS (mTLS) is enabled via the parameter requestCert=true in TLSParameters. Due to improper certificate validation (classified under CWE-295), the fs2-io module on Node.js ignores the requestCert=true setting, effectively bypassing peer certificate verification. This means that even when mTLS is intended to be enforced, the server does not validate the client's certificate, allowing potentially unauthorized or malicious clients to establish connections without proper authentication. The vulnerability is limited to fs2-io running on Node.js and does not affect the JVM TLS implementation of fs2, which uses a separate API. Client-mode TLSSockets are also unaffected as they use a different implementation. The issue was introduced in fs2-io version 3.1.0 and patched in version 3.2.11, where the requestCert parameter is properly respected and failed certificate verification results in an SSLException. No known exploits have been reported in the wild. The vulnerability primarily impacts applications relying on fs2-io on Node.js for secure server-side streaming communications that require mTLS for client authentication. Without proper certificate validation, the confidentiality and integrity of the connection can be compromised, and unauthorized access may be possible.
Potential Impact
For European organizations, this vulnerability poses a significant risk to any services or applications that use the fs2 library on Node.js to implement server-side streaming with mTLS authentication. The failure to validate client certificates undermines the security guarantees of mTLS, potentially allowing unauthorized clients to connect and interact with sensitive systems. This could lead to unauthorized data access, data leakage, or unauthorized command execution depending on the application context. Organizations in sectors such as finance, healthcare, telecommunications, and critical infrastructure—where secure client authentication is paramount—may be particularly impacted. The vulnerability could also facilitate lateral movement within networks if attackers exploit the trust model breakdown. Given the increasing adoption of Scala and Node.js in modern European software stacks, especially in fintech and cloud-native applications, the risk is non-trivial. However, the scope is somewhat limited by the requirement that the application uses fs2-io on Node.js with mTLS enabled via requestCert=true, which is not the default configuration. Nevertheless, failure to patch or mitigate could expose sensitive services to impersonation or man-in-the-middle style attacks.
Mitigation Recommendations
1. Immediate upgrade to fs2-io version 3.2.11 or later is the most effective mitigation, as this version correctly enforces peer certificate validation when requestCert=true is set. 2. If upgrading is not immediately feasible, avoid using server-mode TLSSocket with requestCert=true on Node.js to establish mTLS connections. Instead, disable mTLS or use alternative secure authentication mechanisms until patched. 3. Conduct an audit of all applications and services using fs2-io on Node.js to identify those that enable mTLS with requestCert=true and prioritize patching or configuration changes. 4. Implement additional network-level controls such as mutual TLS termination at a reverse proxy or load balancer that correctly validates client certificates, thereby offloading trust verification from the vulnerable application layer. 5. Monitor network traffic and logs for unusual or unauthorized TLS connection attempts that could indicate exploitation attempts. 6. Educate development teams about the importance of proper certificate validation and the risks of bypassing mTLS mechanisms. 7. Incorporate automated dependency scanning and vulnerability management tools to detect usage of vulnerable fs2-io versions in CI/CD pipelines.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-05-18T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9849c4522896dcbf6751
Added to database: 5/21/2025, 9:09:29 AM
Last enriched: 6/22/2025, 12:10:47 AM
Last updated: 8/18/2025, 11:32:55 PM
Views: 13
Related Threats
CVE-2025-8678: CWE-918 Server-Side Request Forgery (SSRF) in johnbillion WP Crontrol
MediumCVE-2025-57699: Unquoted search path or element in Western Digital Corporation Western Digital Kitfox for Windows
MediumCVE-2025-8281: CWE-79 Cross-Site Scripting (XSS) in WP Talroo
HighCVE-2025-41452: CWE-15: External Control of System or Configuration Setting in Danfoss AK-SM8xxA Series
MediumCVE-2025-41451: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') in Danfoss AK-SM8xxA Series
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.