Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.
AI analysis not yet available
Plain-English explanation, risk summary, and remediation steps will appear here once AI analysis is complete.
No Fix Known
No patch has been released yet. Apply workarounds or mitigations where available.
Published
CVE disclosed publicly
Last Modified
Most recent update
Indexed to CVEInsight
Added to this platform
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
16
Affected Products
12
References
nodejs / node.js
| - |
| nodejs | node.js | 17.0.0 - 17.3.1 | - |
| oracle | graalvm | - | - |
| oracle | graalvm | - | - |
| oracle | graalvm | - | - |
| oracle | mysql_cluster | 8.0.29 | - |
| oracle | mysql_connectors | 8.0.28 | - |
| oracle | mysql_enterprise_monitor | 8.0.29 | - |
| oracle | mysql_server | 5.7.37 | - |
| oracle | mysql_server | 8.0.0 - 8.0.28 | - |
| oracle | mysql_workbench | 8.0.0 - 8.0.28 | - |
| oracle | peoplesoft_enterprise_peopletools | - | - |
| oracle | peoplesoft_enterprise_peopletools | - | - |
| debian | debian_linux | - | - |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Exploitability
Impact