Three medium-impact and one low severity bug have been patched
The developers behind Node.js have released new versions of several release lines to address four vulnerabilities in the server-side technology.
The security flaws, three of medium severity and one marked as low severity, have been fixed in new versions of the 12.x, 14.x, 16.x, and 17.x branches.
As detailed in a Node.js security advisory yesterday (January 10), the first vulnerability (CVE-2021-44531) was due to the improper handling of URI Subject Alternative Names.
Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates, wrote the developers in a blog post.
Node.js was accepting URI SAN types, which PKIs are often not defined to use. In addition, when a protocol allows URI SANs, Node.js did not match the URI correctly.
This issue, which was reported to the team by Google, has been fixed in the newer versions of Node.js, which disable the URI SAN type when checking a certificate against a hostname.
This behavior can be reverted through the --security-revert command-line option, adds the blog.
Another issue (CVE-2021-44532) is a certificate verification bypass via string injection bug.
When Node.js converts SANs to a string format, it uses this string to check peer certificates against hostnames when validating connections.
The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.
The vulnerability, also reported by Google, is now fixed. Newer versions escape SANs containing the problematic characters in order to prevent the injection. This behavior can also be reverted through the --security-revert command-line option.
The third medium severity bug, also reported by Google, is the incorrect handling of certificate subject and issuer fields (CVE-2021-44533).
The blog post explains that Node.js did not handle multi-value Relative Distinguished Names correctly.
“Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification,” it reads.
Affected versions of Node.js, however, do not accept multi-value Relative Distinguished Names and are therefore not vulnerable to such attacks. However, the developers warn, third-party code that uses Node.js’ ambiguous presentation of certificate subjects may be vulnerable.
Finally, a fourth, low severity security flaw (CVE-2022-21824) could allow prototype pollution via console.table properties.
Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__, the developers explain.
However, the prototype pollution bug has very limited impact, as it only allows an empty string to be assigned to numerical keys of the object prototype.
The latest versions for Node.js use a null prototype for the object these properties are being assigned to in order to fix the issue.
All of the issues have been fixed in releases for Node.js versions 12.x, 14.x, 16.x, and 17.x. The fixes can be found in the security notes.
The Daily Swig has reached out to the developers of Node.js for comment and will update this article accordingly.