CVE-2021-44532

Name	CVE-2021-44532
Description	Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
References	DSA-5170-1
Debian Bugs	1004177

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
nodejs (PTS)	buster	10.24.0~dfsg-1~deb10u1	vulnerable
	buster (security)	10.24.0~dfsg-1~deb10u2	vulnerable
	bullseye	12.22.5~dfsg-2~11u1	vulnerable
	bullseye (security)	12.22.12~dfsg-1~deb11u1	fixed
	bookworm, sid	18.12.1+dfsg-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
nodejs	source	stretch	(unfixed)	end-of-life
nodejs	source	bullseye	12.22.12~dfsg-1~deb11u1		DSA-5170-1
nodejs	source	(unstable)	12.22.9~dfsg-1			1004177

Notes

[buster] - nodejs <ignored> (Minor issue, requires MITM and uncommon CA, invasive/hard to backport)
[stretch] - nodejs <end-of-life> (Nodejs in stretch not covered by security support)
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/#certificate-verification-bypass-via-string-injection-medium-cve-2021-44532
https://hackerone.com/reports/1429694
https://github.com/nodejs/node/commit/19873abfb24dce75ffff042efe76dc5633052677 (v12.x)
https://github.com/nodejs/node/commit/a5c7843cab6fdb9c845edadc2a7b9b30e02c8bf2 (v12.x)