CVE-2021-44532

NameCVE-2021-44532
DescriptionNode.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5170-1
Debian Bugs1004177

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nodejs (PTS)bullseye12.22.12~dfsg-1~deb11u4fixed
bullseye (security)12.22.12~dfsg-1~deb11u7fixed
bookworm18.19.0+dfsg-6~deb12u2fixed
bookworm (security)18.19.0+dfsg-6~deb12u1fixed
trixie, sid20.19.2+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nodejssourcestretch(unfixed)end-of-life
nodejssourcebullseye12.22.12~dfsg-1~deb11u1DSA-5170-1
nodejssource(unstable)12.22.9~dfsg-11004177

Notes

[buster] - nodejs <ignored> (Minor issue, requires MITM and uncommon CA, invasive/hard to backport)
[stretch] - nodejs <end-of-life> (Nodejs in stretch not covered by security support)
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/#certificate-verification-bypass-via-string-injection-medium-cve-2021-44532
https://hackerone.com/reports/1429694
https://github.com/nodejs/node/commit/19873abfb24dce75ffff042efe76dc5633052677 (v12.x)
https://github.com/nodejs/node/commit/a5c7843cab6fdb9c845edadc2a7b9b30e02c8bf2 (v12.x)
Search for package or bug name: Reporting problems