ALPINE-CVE-2021-44532 — Vulnetix

Try Vulnetix Request Demo

ALPINE-CVE-2021-44532 PUBLISHED CVSS 5.300000190734863 MEDIUM

Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.

Risk Scores

CVSS v3.1

5.300000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Affected Products

Vendor	Product	Versions
Alpine:v3.19	nodejs	16.13.0-r0, 14.18.1-r1, 14.18.1-r0
Alpine:v3.13	nodejs	8.9.4-r0, 0, 10.13.0-r0
Alpine:v3.23	nodejs	0, 0, 0
Alpine:v3.12	nodejs	0, 10.13.0-r0, 10.14.0-r0
Alpine:v3.20	nodejs	8.9.4-r0, 14.16.0-r0, 14.16.0-r1
Alpine:v3.17	nodejs	6.11.5-r0, 0, 10.13.0-r0
Alpine:v3.21	nodejs	0, 0, 0
Alpine:v3.16	nodejs	12.18.2-r0, 12.18.0-r0, 12.18.0-r1
Alpine:v3.22	nodejs	0, 0, 0
Alpine:v3.14	nodejs	6.10.3-r0, 6.11.0-r0, 6.11.1-r0
Alpine:v3.15	nodejs	0, 10.13.0-r0, 10.14.0-r0
Alpine:v3.18	nodejs	8.9.4-r0, 8.9.3-r1, 8.9.3-r0

Timeline

Feb 24, 2022 CVE Published
Dec 3, 2025 CVE Updated
Apr 30, 2026 Distribution Patch

References

https://security.alpinelinux.org/vuln/CVE-2021-44532 advisory

Open in Interactive Console →