{"id":"CVE-2021-44532","details":"Node.js \u003c 12.22.9, \u003c 14.18.3, \u003c 16.13.2, and \u003c 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.","aliases":["BIT-node-2021-44532","BIT-node-min-2021-44532"],"modified":"2026-03-15T22:44:00.833931Z","published":"2022-02-24T19:15:09.360Z","related":["ALSA-2022:7830","ALSA-2022:9073","MGASA-2022-0077","SUSE-SU-2022:0101-1","SUSE-SU-2022:0112-1","SUSE-SU-2022:0113-1","SUSE-SU-2022:0114-1","openSUSE-SU-2022:0112-1","openSUSE-SU-2022:0113-1","openSUSE-SU-2024:11730-1","openSUSE-SU-2024:11746-1"],"references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220325-0007/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5170"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"ADVISORY","url":"https://hackerone.com/reports/1429694"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"EVIDENCE","url":"https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/graalvm/graalvm-ce-builds","events":[{"introduced":"0"},{"last_affected":"ab8db8415e996bd955acef60c0b2225761210c9a"},{"introduced":"0"},{"last_affected":"5d777aadefa45491c9fd582d09ef4dc7dfdf1bfa"},{"introduced":"0"},{"last_affected":"bd6570ec5fc8253ab93b6760c36a3883cc3bdbb2"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"20.3.5"},{"introduced":"0"},{"last_affected":"21.3.1"},{"introduced":"0"},{"last_affected":"22.0.0.2"}]}},{"type":"GIT","repo":"https://github.com/mysql/mysql-server","events":[{"introduced":"0"},{"last_affected":"8d8c986e5716e38cb776b627a8eee9e92241b4ce"},{"introduced":"0"},{"last_affected":"6846e6b2f72931991cc9fd589dc9946ea2ab58c9"},{"introduced":"0"},{"last_affected":"8d8c986e5716e38cb776b627a8eee9e92241b4ce"},{"introduced":"0"},{"last_affected":"0cd98bdf981583a1cf4cb526581fc16e23bb839b"},{"introduced":"270fd3411e3d671a73ed9725940a30080f59ce6d"},{"last_affected":"6846e6b2f72931991cc9fd589dc9946ea2ab58c9"},{"introduced":"270fd3411e3d671a73ed9725940a30080f59ce6d"},{"last_affected":"6846e6b2f72931991cc9fd589dc9946ea2ab58c9"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"8.0.29"},{"introduced":"0"},{"last_affected":"8.0.28"},{"introduced":"0"},{"last_affected":"8.0.29"},{"introduced":"0"},{"last_affected":"5.7.37"},{"introduced":"8.0.0"},{"last_affected":"8.0.28"},{"introduced":"8.0.0"},{"last_affected":"8.0.28"}]}},{"type":"GIT","repo":"https://github.com/nodejs/node","events":[{"introduced":"0"},{"fixed":"4e44cbfba6bbb87aa15564ea6856a556804f71c0"},{"introduced":"73aa21658dfa6a22c06451d080152b32b1f98dbe"},{"fixed":"92df3d654b366aa115fb672756cb051d480d8acc"},{"introduced":"7162e686b18d22b4385fa5c04274fb04dbd810c7"},{"fixed":"acb71eab779fb56bf70e8a9e0cb2e82a089a87de"},{"introduced":"f99ce7c1b88ff445f60e9e5575b674cb509e47f3"},{"fixed":"e4f326669a3f98a8804dde23eee6d8403f0a99f1"},{"introduced":"0"},{"last_affected":"cea049bcf8bb0f9a6e0095dbd5dffdb14dc8f71b"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"12.22.9"},{"introduced":"14.0.0"},{"fixed":"14.18.3"},{"introduced":"16.0.0"},{"fixed":"16.13.2"},{"introduced":"17.0.0"},{"fixed":"17.3.1"},{"introduced":"0"},{"last_affected":"11.0"}]}}],"versions":["mysql-5.5.52","mysql-5.5.53","mysql-5.5.54","mysql-5.5.55","mysql-5.5.56","mysql-5.5.57","mysql-5.5.58","mysql-5.5.59","mysql-5.5.60","mysql-5.5.61","mysql-5.5.62","mysql-5.5.63","mysql-5.6.33","mysql-5.6.34","mysql-5.6.35","mysql-5.6.36","mysql-5.6.37","mysql-5.6.38","mysql-5.6.39","mysql-5.6.40","mysql-5.6.41","mysql-5.6.42","mysql-5.6.43","mysql-5.6.45","mysql-5.6.46","mysql-5.6.47","mysql-5.6.48","mysql-5.6.49","mysql-5.6.50","mysql-5.6.51","mysql-5.7-22-ndb-7.6.6","mysql-5.7.15","mysql-5.7.16","mysql-5.7.17","mysql-5.7.18","mysql-5.7.19","mysql-5.7.20","mysql-5.7.21","mysql-5.7.22","mysql-5.7.24","mysql-5.7.25","mysql-5.7.26","mysql-5.7.27","mysql-5.7.28","mysql-5.7.29","mysql-5.7.30","mysql-5.7.31","mysql-5.7.32","mysql-5.7.33","mysql-5.7.34","mysql-5.7.35","mysql-5.7.36","mysql-5.7.37","mysql-8.0.0","mysql-8.0.1","mysql-8.0.11","mysql-8.0.12","mysql-8.0.13","mysql-8.0.14","mysql-8.0.15","mysql-8.0.16","mysql-8.0.17","mysql-8.0.18","mysql-8.0.19","mysql-8.0.2","mysql-8.0.20","mysql-8.0.21","mysql-8.0.22","mysql-8.0.23","mysql-8.0.24","mysql-8.0.25","mysql-8.0.26","mysql-8.0.27","mysql-8.0.28","mysql-8.0.29","mysql-8.0.3","mysql-8.0.4","mysql-cluster-7.2.24","mysql-cluster-7.2.25","mysql-cluster-7.2.26","mysql-cluster-7.2.27","mysql-cluster-7.2.28","mysql-cluster-7.2.29","mysql-cluster-7.2.30","mysql-cluster-7.2.31","mysql-cluster-7.2.32","mysql-cluster-7.2.33","mysql-cluster-7.2.34","mysql-cluster-7.2.35","mysql-cluster-7.2.37","mysql-cluster-7.2.38","mysql-cluster-7.2.39","mysql-cluster-7.2.40","mysql-cluster-7.3.13","mysql-cluster-7.3.14","mysql-cluster-7.3.15","mysql-cluster-7.3.16","mysql-cluster-7.3.17","mysql-cluster-7.3.18","mysql-cluster-7.3.19","mysql-cluster-7.3.20","mysql-cluster-7.3.21","mysql-cluster-7.3.22","mysql-cluster-7.3.23","mysql-cluster-7.3.24","mysql-cluster-7.3.25","mysql-cluster-7.3.26","mysql-cluster-7.3.27","mysql-cluster-7.3.28","mysql-cluster-7.3.29","mysql-cluster-7.3.30","mysql-cluster-7.3.31","mysql-cluster-7.3.33","mysql-cluster-7.4.11","mysql-cluster-7.4.12","mysql-cluster-7.4.13","mysql-cluster-7.4.14","mysql-cluster-7.4.15","mysql-cluster-7.4.16","mysql-cluster-7.4.17","mysql-cluster-7.4.18","mysql-cluster-7.4.19","mysql-cluster-7.4.20","mysql-cluster-7.4.21","mysql-cluster-7.4.23","mysql-cluster-7.4.24","mysql-cluster-7.4.25","mysql-cluster-7.4.26","mysql-cluster-7.4.27","mysql-cluster-7.4.28","mysql-cluster-7.4.29","mysql-cluster-7.4.30","mysql-cluster-7.4.32","mysql-cluster-7.4.33","mysql-cluster-7.4.34","mysql-cluster-7.4.35","mysql-cluster-7.5.1","mysql-cluster-7.5.10","mysql-cluster-7.5.11","mysql-cluster-7.5.12","mysql-cluster-7.5.13","mysql-cluster-7.5.14","mysql-cluster-7.5.15","mysql-cluster-7.5.16","mysql-cluster-7.5.17","mysql-cluster-7.5.18","mysql-cluster-7.5.19","mysql-cluster-7.5.2","mysql-cluster-7.5.20","mysql-cluster-7.5.21","mysql-cluster-7.5.23","mysql-cluster-7.5.24","mysql-cluster-7.5.25","mysql-cluster-7.5.3","mysql-cluster-7.5.4","mysql-cluster-7.5.5","mysql-cluster-7.5.6","mysql-cluster-7.5.7","mysql-cluster-7.5.8","mysql-cluster-7.5.9","mysql-cluster-7.6.10","mysql-cluster-7.6.11","mysql-cluster-7.6.12","mysql-cluster-7.6.13","mysql-cluster-7.6.14","mysql-cluster-7.6.15","mysql-cluster-7.6.16","mysql-cluster-7.6.17","mysql-cluster-7.6.19","mysql-cluster-7.6.2","mysql-cluster-7.6.20","mysql-cluster-7.6.3","mysql-cluster-7.6.4","mysql-cluster-7.6.5","mysql-cluster-7.6.6","mysql-cluster-7.6.7","mysql-cluster-7.6.8","mysql-cluster-7.6.9","mysql-cluster-8.0.16","mysql-cluster-8.0.18","mysql-cluster-8.0.19","mysql-cluster-8.0.20","mysql-cluster-8.0.21","mysql-cluster-8.0.22","mysql-cluster-8.0.23","mysql-cluster-8.0.24","mysql-cluster-8.0.25","mysql-cluster-8.0.26","mysql-cluster-8.0.27","mysql-cluster-8.0.28","mysql-cluster-8.0.29","vm-19.3.0","vm-19.3.0.2","vm-19.3.1","vm-19.3.2","vm-19.3.2-pre","vm-19.3.3","vm-19.3.4","vm-19.3.5","vm-19.3.6","vm-20.0.0","vm-20.0.1","vm-20.1.0","vm-20.2.0","vm-20.3.0","vm-20.3.1","vm-20.3.1.2","vm-20.3.2","vm-20.3.3","vm-20.3.4","vm-20.3.5","vm-21.0.0","vm-21.0.0.2","vm-21.1.0","vm-21.2.0","vm-21.3.0","vm-ce-21.2.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.58"}]},{"events":[{"introduced":"0"},{"last_affected":"8.59"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-44532.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}