CVE-2021-44531
📋 TL;DR
This vulnerability in Node.js allows attackers to bypass certificate name constraints by using arbitrary Subject Alternative Name (SAN) types, particularly URI SANs. It affects Node.js applications that use TLS/SSL certificate validation, potentially enabling man-in-the-middle attacks or impersonation of trusted services.
💻 Affected Systems
- Node.js
📦 What is this software?
Graalvm by Oracle
Graalvm by Oracle
Graalvm by Oracle
Node.js by Nodejs
Node.js by Nodejs
Node.js by Nodejs
Node.js by Nodejs
Peoplesoft Enterprise Peopletools by Oracle
⚠️ Risk & Real-World Impact
Worst Case
Complete TLS/SSL certificate validation bypass allowing attackers to impersonate any trusted service, intercept encrypted communications, or perform man-in-the-middle attacks against Node.js applications.
Likely Case
Targeted attacks against specific Node.js applications where attackers can impersonate services that the application trusts, potentially leading to data interception or unauthorized access.
If Mitigated
Limited impact if applications use additional certificate validation layers, certificate pinning, or network segmentation that restricts certificate authority trust.
🎯 Exploit Status
Exploitation requires the ability to present a malicious certificate with URI SANs to a vulnerable Node.js application. Public proof-of-concept exists in the HackerOne report.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Node.js 12.22.9, 14.18.3, 16.13.2, 17.3.1 or later
Vendor Advisory: https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
Restart Required: Yes
Instructions:
1. Identify Node.js version using 'node --version'. 2. Update to patched version using package manager (npm update -g node) or download from nodejs.org. 3. Restart all Node.js applications and services.
🔧 Temporary Workarounds
Disable URI SAN validation revert
allPrevent the security revert that could re-enable the vulnerable behavior
Ensure --security-revert command-line option is NOT used when starting Node.js
Certificate pinning implementation
allImplement additional certificate validation through pinning to mitigate bypass attempts
Implement certificate pinning in application code using libraries like node-forge or built-in crypto module
🧯 If You Can't Patch
- Implement network-level controls to restrict which certificate authorities are trusted
- Use application-level certificate validation with additional checks beyond standard Node.js validation
🔍 How to Verify
Check if Vulnerable:
Run 'node --version' and check if version is below 12.22.9, 14.18.3, 16.13.2, or 17.3.1 depending on major versionCheck Version:
node --versionVerify Fix Applied:
After update, run 'node --version' to confirm version is 12.22.9+, 14.18.3+, 16.13.2+, or 17.3.1+ depending on major version📡 Detection & Monitoring
Log Indicators:
- Unusual certificate validation failures
- Certificate validation warnings with URI SANs
- TLS handshake errors from unexpected sources
Network Indicators:
- Unexpected certificate authorities in TLS connections
- Certificates with URI SANs being accepted by Node.js applications
SIEM Query:
source="nodejs" AND ("certificate validation" OR "TLS handshake") AND ("URI SAN" OR "name constraint bypass")🔗 References
- https://hackerone.com/reports/1429694
- https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
- https://security.netapp.com/advisory/ntap-20220325-0007/
- https://www.debian.org/security/2022/dsa-5170
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://hackerone.com/reports/1429694
- https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
- https://security.netapp.com/advisory/ntap-20220325-0007/
- https://www.debian.org/security/2022/dsa-5170
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
