CVE-2021-44532

NameCVE-2021-44532
DescriptionNode.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5170-1
Debian Bugs1004177

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nodejs (PTS)buster, buster (security)10.24.0~dfsg-1~deb10u1vulnerable
bullseye12.22.5~dfsg-2~11u1vulnerable
bullseye (security)12.22.12~dfsg-1~deb11u1fixed
bookworm18.6.0+dfsg-5fixed
sid18.7.0+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nodejssourcestretch(unfixed)end-of-life
nodejssourcebullseye12.22.12~dfsg-1~deb11u1DSA-5170-1
nodejssource(unstable)12.22.9~dfsg-11004177

Notes

[stretch] - nodejs <end-of-life> (Nodejs in stretch not covered by security support)
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/#certificate-verification-bypass-via-string-injection-medium-cve-2021-44532
https://github.com/nodejs/node/commit/19873abfb24dce75ffff042efe76dc5633052677 (v12.x)
Search for package or bug name: Reporting problems