CVE-2021-44532

Name: CVE-2021-44532
Creator: NVD / NIST
Published: 2022-02-24T19:15:09.36+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.3/10EPSS 10.36%

Last modified Jun 17, 2026

CVE-2021-44532 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. EPSS estimates a 10.36% chance of exploitation in the next 30 days.

Description

Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.

Metrics

CVSS 3.1

5.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Probability

10.36%

95.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Nodejs	Node.Js	< 12.22.9
Nodejs	Node.Js	>= 14.0.0, < 14.18.3
Nodejs	Node.Js	>= 16.0.0, < 16.13.2
Nodejs	Node.Js	>= 17.0.0, < 17.3.1
Oracle	Graalvm	20.3.5
Oracle	Graalvm	21.3.1
Oracle	Graalvm	22.0.0.2
Oracle	Mysql Cluster	<= 8.0.29
Oracle	Mysql Connectors	<= 8.0.28
Oracle	Mysql Enterprise Monitor	<= 8.0.29
Oracle	Mysql Server	<= 5.7.37
Oracle	Mysql Server	>= 8.0.0, <= 8.0.28
Oracle	Mysql Workbench	>= 8.0.0, <= 8.0.28
Oracle	Peoplesoft Enterprise Peopletools	8.58
Oracle	Peoplesoft Enterprise Peopletools	8.59
Debian	Debian Linux	11.0

References

https://hackerone.com/reports/1429694Mitigation, Third Party Advisory
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/Exploit, Release Notes, Vendor Advisory
https://security.netapp.com/advisory/ntap-20220325-0007/Third Party Advisory
https://www.debian.org/security/2022/dsa-5170Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlThird Party Advisory
https://hackerone.com/reports/1429694Mitigation, Third Party Advisory
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/Exploit, Release Notes, Vendor Advisory
https://security.netapp.com/advisory/ntap-20220325-0007/Third Party Advisory
https://www.debian.org/security/2022/dsa-5170Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlThird Party Advisory

Timeline

Published: Feb 24, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-44532?

How severe is CVE-2021-44532?

CVE-2021-44532 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 10.36% probability of exploitation in the next 30 days.

How do I fix CVE-2021-44532?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-44532?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST