Plattform
nodejs
Komponente
node-js
Behoben in
4.*
5.*
6.*
7.*
8.*
9.*
10.*
11.*
12.22.5
13.*
14.17.5
15.*
16.6.2
CVE-2021-22939 is a security vulnerability in Node.js related to the handling of SSL/TLS certificates. Specifically, if the https API was used incorrectly and undefined was passed for the rejectUnauthorized parameter, Node.js would not return an error when connecting to servers presenting expired certificates. This can lead to man-in-the-middle attacks and data compromise, impacting applications relying on secure HTTPS connections. The vulnerability affects Node.js versions 4.0 through 16.6.2, and a fix is available in version 16.6.2.
The primary impact of CVE-2021-22939 is the potential for man-in-the-middle (MITM) attacks. An attacker could intercept and potentially modify encrypted traffic between a client and a server if the client is using a vulnerable version of Node.js and the server presents an expired certificate. This could allow the attacker to steal sensitive data, such as user credentials, financial information, or proprietary business data. The risk is amplified in environments where certificate validation is critical, such as financial transactions or secure communication channels. While the vulnerability requires specific API usage patterns, the potential for widespread impact exists given the prevalence of Node.js in web applications and backend services.
CVE-2021-22939 was publicly disclosed on August 16, 2021. There is no indication of active exploitation campaigns targeting this vulnerability at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is available, demonstrating the potential for exploitation, which increases the risk of future attacks.
Applications and services built on Node.js that rely on HTTPS connections and incorrectly configure the rejectUnauthorized parameter are at risk. This includes web applications, APIs, and backend services that process sensitive data over HTTPS. Specifically, older Node.js projects that haven't been regularly updated are particularly vulnerable.
• nodejs / server:
npm list -depth=0 | grep node• nodejs / server:
node -v• nodejs / server: Check application code for instances where https.request or similar functions are used with rejectUnauthorized set to undefined or omitted.
• nodejs / server: Monitor Node.js application logs for errors related to certificate validation or connection failures.
disclosure
Exploit-Status
EPSS
0.12% (32% Perzentil)
The most effective mitigation for CVE-2021-22939 is to upgrade to Node.js version 16.6.2 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing temporary workarounds. One approach is to explicitly set rejectUnauthorized to true when using the https module, ensuring that expired certificates are rejected. Additionally, review your application code to identify any instances where the rejectUnauthorized parameter is being set to undefined or omitted. After upgrading, confirm the fix by attempting to connect to a server with an expired certificate; the connection should now fail with an appropriate error.
Aktualisieren Sie Node.js auf Version 12.22.5 oder höher. Dies behebt die Schwachstelle, die es ermöglichte, Verbindungen zu Servern mit abgelaufenen Zertifikaten herzustellen, indem 'undefined' an den Parameter 'rejectUnauthorized' der https API übergeben wurde.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2021-22939 is a Node.js vulnerability where connections to servers with expired certificates could be accepted without error, potentially enabling man-in-the-middle attacks. It affects versions 4.0–16.6.2.
You are affected if you are using Node.js versions 4.0 through 16.6.2 and your code incorrectly handles the rejectUnauthorized parameter in the https module.
Upgrade to Node.js version 16.6.2 or later. As a temporary workaround, explicitly set rejectUnauthorized to true when using the https module.
There is no current evidence of active exploitation, but public proof-of-concept code exists, increasing the risk of future attacks.
Refer to the official Node.js security advisory: https://nodejs.org/en/blog/v16-x-security-advisories/
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.