{"api_version":"1","generated_at":"2026-04-22T21:38:32+00:00","cve":"CVE-2021-44532","urls":{"html":"https://cve.report/CVE-2021-44532","api":"https://cve.report/api/cve/CVE-2021-44532.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-44532","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-44532"},"summary":{"title":"CVE-2021-44532","description":"Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.","state":"PUBLIC","assigner":"support@hackerone.com","published_at":"2022-02-24 19:15:00","updated_at":"2022-10-05 14:00:00"},"problem_types":["CWE-295"],"metrics":[],"references":[{"url":"https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/","name":"https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/","refsource":"MISC","tags":[],"title":"January 10th 2022 Security Releases | Node.js","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://hackerone.com/reports/1429694","name":"https://hackerone.com/reports/1429694","refsource":"MISC","tags":[],"title":"HackerOne","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20220325-0007/","name":"https://security.netapp.com/advisory/ntap-20220325-0007/","refsource":"CONFIRM","tags":[],"title":"March 2022 Node.js Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.oracle.com/security-alerts/cpuapr2022.html","name":"https://www.oracle.com/security-alerts/cpuapr2022.html","refsource":"MISC","tags":[],"title":"Oracle Critical Patch Update Advisory - April 2022","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.debian.org/security/2022/dsa-5170","name":"DSA-5170","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-5170-1 nodejs","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","name":"N/A","refsource":"N/A","tags":[],"title":"Oracle Critical Patch Update Advisory - July 2022","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-44532","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-44532","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"44532","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"11.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"44532","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"44532","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"graalvm","cpe6":"20.3.5","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"enterprise","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"44532","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"graalvm","cpe6":"21.3.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"enterprise","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"44532","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"graalvm","cpe6":"22.0.0.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"enterprise","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"44532","vulnerable":"1","versionEndIncluding":"8.0.29","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"mysql_cluster","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"44532","vulnerable":"1","versionEndIncluding":"8.0.28","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"mysql_connectors","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"44532","vulnerable":"1","versionEndIncluding":"8.0.29","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"mysql_enterprise_monitor","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"44532","vulnerable":"1","versionEndIncluding":"5.7.37","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"mysql_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"44532","vulnerable":"1","versionEndIncluding":"8.0.28","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"mysql_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"44532","vulnerable":"1","versionEndIncluding":"8.0.28","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"mysql_workbench","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"44532","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"peoplesoft_enterprise_peopletools","cpe6":"8.58","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"44532","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"peoplesoft_enterprise_peopletools","cpe6":"8.59","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-44532","qid":"160231","title":"Oracle Enterprise Linux Security Update for nodejs:14 (ELSA-2022-7830)"},{"cve":"CVE-2021-44532","qid":"160361","title":"Oracle Enterprise Linux Security Update for nodejs:16 (ELSA-2022-9073-1)"},{"cve":"CVE-2021-44532","qid":"179565","title":"Debian Security Update for nodejs (DSA 5170-1)"},{"cve":"CVE-2021-44532","qid":"183685","title":"Debian Security Update for nodejs (CVE-2021-44532)"},{"cve":"CVE-2021-44532","qid":"240414","title":"Red Hat Update for rh-nodejs12-nodejs security (RHSA-2022:4914)"},{"cve":"CVE-2021-44532","qid":"240747","title":"Red Hat Update for rh-nodejs14-nodejs (RHSA-2022:7044)"},{"cve":"CVE-2021-44532","qid":"240851","title":"Red Hat Update for nodejs:14 (RHSA-2022:7830)"},{"cve":"CVE-2021-44532","qid":"241026","title":"Red Hat Update for nodejs:16 security (RHSA-2022:9073)"},{"cve":"CVE-2021-44532","qid":"241341","title":"Red Hat Update for nodejs:14 security (RHSA-2023:1742)"},{"cve":"CVE-2021-44532","qid":"282257","title":"Fedora Security Update for nodejs (FEDORA-2022-78090d2099)"},{"cve":"CVE-2021-44532","qid":"282263","title":"Fedora Security Update for nodejs (FEDORA-2022-0eda327cb4)"},{"cve":"CVE-2021-44532","qid":"296062","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 43.113.3 Missing (CPUJAN2022)"},{"cve":"CVE-2021-44532","qid":"354342","title":"Amazon Linux Security Advisory for nodejs : ALAS2022-2022-214"},{"cve":"CVE-2021-44532","qid":"354509","title":"Amazon Linux Security Advisory for nodejs : ALAS2022-2022-019"},{"cve":"CVE-2021-44532","qid":"354537","title":"Amazon Linux Security Advisory for nodejs : ALAS-2022-214"},{"cve":"CVE-2021-44532","qid":"355273","title":"Amazon Linux Security Advisory for nodejs : ALAS2023-2023-084"},{"cve":"CVE-2021-44532","qid":"376254","title":"Node.js Improper Handling of URI Subject Alternative Names Vulnerability (JAN 2022)"},{"cve":"CVE-2021-44532","qid":"500441","title":"Alpine Linux Security Update for nodejs"},{"cve":"CVE-2021-44532","qid":"501456","title":"Alpine Linux Security Update for nodejs"},{"cve":"CVE-2021-44532","qid":"501973","title":"Alpine Linux Security Update for nodejs"},{"cve":"CVE-2021-44532","qid":"502124","title":"Alpine Linux Security Update for nodejs-current"},{"cve":"CVE-2021-44532","qid":"502138","title":"Alpine Linux Security Update for openjdk11"},{"cve":"CVE-2021-44532","qid":"504210","title":"Alpine Linux Security Update for nodejs"},{"cve":"CVE-2021-44532","qid":"690825","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for node.js (972ba0e8-8b8a-11ec-b369-6c3be5272acd)"},{"cve":"CVE-2021-44532","qid":"751613","title":"OpenSUSE Security Update for nodejs12 (openSUSE-SU-2022:0113-1)"},{"cve":"CVE-2021-44532","qid":"751614","title":"OpenSUSE Security Update for nodejs14 (openSUSE-SU-2022:0112-1)"},{"cve":"CVE-2021-44532","qid":"753115","title":"SUSE Enterprise Linux Security Update for nodejs12 (SUSE-SU-2022:0113-1)"},{"cve":"CVE-2021-44532","qid":"753438","title":"SUSE Enterprise Linux Security Update for nodejs14 (SUSE-SU-2022:0112-1)"},{"cve":"CVE-2021-44532","qid":"900719","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs (8812)"},{"cve":"CVE-2021-44532","qid":"901703","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs (8818-1)"},{"cve":"CVE-2021-44532","qid":"940775","title":"AlmaLinux Security Update for nodejs:14 (ALSA-2022:7830)"},{"cve":"CVE-2021-44532","qid":"940859","title":"AlmaLinux Security Update for nodejs:16 (ALSA-2022:9073)"},{"cve":"CVE-2021-44532","qid":"960636","title":"Rocky Linux Security Update for nodejs:14 (RLSA-2022:7830)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2021-44532","ASSIGNER":"support@hackerone.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"https://github.com/nodejs/node","version":{"version_data":[{"version_value":"Fixed in 12.22.9, 14.18.3, 16.13.2, 17.3.1"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Improper Following of a Certificate's Chain of Trust (CWE-296)"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://hackerone.com/reports/1429694","url":"https://hackerone.com/reports/1429694"},{"refsource":"MISC","name":"https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/","url":"https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"},{"url":"https://www.oracle.com/security-alerts/cpuapr2022.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20220325-0007/","url":"https://security.netapp.com/advisory/ntap-20220325-0007/"},{"refsource":"DEBIAN","name":"DSA-5170","url":"https://www.debian.org/security/2022/dsa-5170"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpujul2022.html"}]},"description":{"description_data":[{"lang":"eng","value":"Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option."}]}},"nvd":{"publishedDate":"2022-02-24 19:15:00","lastModifiedDate":"2022-10-05 14:00:00","problem_types":["CWE-295"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*","versionStartIncluding":"17.0.0","versionEndExcluding":"17.3.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*","versionStartIncluding":"16.0.0","versionEndExcluding":"16.13.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*","versionStartIncluding":"14.0.0","versionEndExcluding":"14.18.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*","versionEndExcluding":"12.22.9","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*","versionEndIncluding":"8.0.29","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:mysql_connectors:*:*:*:*:*:*:*:*","versionEndIncluding":"8.0.28","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*","versionStartIncluding":"8.0.0","versionEndIncluding":"8.0.28","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:graalvm:20.3.5:*:*:*:enterprise:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*","versionEndIncluding":"5.7.37","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:graalvm:21.3.1:*:*:*:enterprise:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:graalvm:22.0.0.2:*:*:*:enterprise:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:*","versionStartIncluding":"8.0.0","versionEndIncluding":"8.0.28","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*","versionEndIncluding":"8.0.29","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"44532","Ordinal":"222304","Title":"CVE-2021-44532","CVE":"CVE-2021-44532","Year":"2021"},"notes":[]}}}