Unrated severityNVD Advisory· Published Feb 24, 2022· Updated Apr 30, 2025
CVE-2021-44531
CVE-2021-44531
Description
Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
23- osv-coords21 versionspkg:bitnami/nodepkg:bitnami/node-minpkg:rpm/almalinux/nodejspkg:rpm/almalinux/nodejs-develpkg:rpm/almalinux/nodejs-docspkg:rpm/almalinux/nodejs-full-i18npkg:rpm/almalinux/nodejs-nodemonpkg:rpm/almalinux/nodejs-packagingpkg:rpm/almalinux/npmpkg:rpm/opensuse/chromium&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/htmldoc&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/nodejs12&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/nodejs14&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/nodejs16&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/nodejs17&distro=openSUSE%20Tumbleweedpkg:rpm/suse/chromium&distro=SUSE%20Package%20Hub%2015%20SP3pkg:rpm/suse/htmldoc&distro=SUSE%20Package%20Hub%2015%20SP3pkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP3pkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP3
< 12.22.9+ 20 more
- (no CPE)range: < 12.22.9
- (no CPE)range: < 12.22.9
- (no CPE)range: < 1:14.20.1-2.module_el8.7.0+3342+b2df8497
- (no CPE)range: < 1:14.20.1-2.module_el8.7.0+3342+b2df8497
- (no CPE)range: < 1:14.20.1-2.module_el8.7.0+3342+b2df8497
- (no CPE)range: < 1:14.20.1-2.module_el8.7.0+3342+b2df8497
- (no CPE)range: < 2.0.19-2.module_el8.6.0+3261+490666b3
- (no CPE)range: < 23-3.module_el8.4.0+2522+3bd42762
- (no CPE)range: < 1:6.14.17-1.14.20.1.2.module_el8.7.0+3342+b2df8497
- (no CPE)range: < 100.0.4896.88-bp153.2.82.1
- (no CPE)range: < 1.9.12-bp153.2.9.1
- (no CPE)range: < 12.22.9-4.25.1
- (no CPE)range: < 14.18.3-15.24.1
- (no CPE)range: < 16.13.2-1.1
- (no CPE)range: < 17.3.1-1.1
- (no CPE)range: < 100.0.4896.88-bp153.2.82.1
- (no CPE)range: < 1.9.12-bp153.2.9.1
- (no CPE)range: < 12.22.9-1.38.1
- (no CPE)range: < 12.22.9-4.25.1
- (no CPE)range: < 14.18.3-6.21.1
- (no CPE)range: < 14.18.3-15.24.1
Patches
Vulnerability mechanics
References
6- www.debian.org/security/2022/dsa-5170mitrevendor-advisoryx_refsource_DEBIAN
- hackerone.com/reports/1429694mitrex_refsource_MISC
- nodejs.org/en/blog/vulnerability/jan-2022-security-releases/mitrex_refsource_MISC
- security.netapp.com/advisory/ntap-20220325-0007/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpuapr2022.htmlmitrex_refsource_MISC
- www.oracle.com/security-alerts/cpujul2022.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.