Node.js did not handle multi-value Relative Distinguished Names correctly. Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533) More details will be available at CVE-2021-44532 after publication. This behavior can be reverted through the -security-revert command-line option. Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints. It uses this string to check peer certificates against hostnames when validating connections. Node.js converts SANs (Subject Alternative Names) to a string format.
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
More details will be available at CVE-2021-44531 after publication. Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Node v17.3.1 (Current) by Bethany Nicolle Griggs, Notable changes Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)Īccepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates.