Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NDebian
OSDebian11.0Node.js
APPNodejs14.0.0 – 14.18.3 (bez)16.0.0 – 16.13.2 (bez)17.0.0 – 17.3.1 (bez)< 12.22.9Oracle Graalvm
APPOracle20.3.521.3.122.0.0.2Oracle MySQL Cluster
APPOracle≤ 8.0.29Oracle MySQL Connectors
APPOracle≤ 8.0.28Oracle MySQL Enterprise Monitor
APPOracle≤ 8.0.29Oracle MySQL Server
APPOracle≤ 5.7.378.0.0 – 8.0.28Oracle MySQL Workbench
APPOracle8.0.0 – 8.0.28Oracle Peoplesoft Enterprise Peopletools
APPOracle8.588.59
Related vulnerabilities
Pominięcie uwierzytelnienia w Oracle PeopleSoft PeopleTools (RCE/Takeover)
GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER
Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)
RCE przez deserializację PHP w Roundcube Webmail (parametr _from)
Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)