Affected versions of this package are vulnerable to Insufficient Hostname Verification. TLS session reuse can lead to host certificate verification bypass.
session event is emitted after
secure event on
TLSSocket, but before
secureConnect event. This is problematic for
https.Agent because it must cache session only after verifying the remote peer's certificate.
Connecting to a server that presents an invalid certificate resulted in the session being cached after the handshake with the server and evicted right after a certifiate validation error and socket's destruction. A request initiated during this narrow window would pick the faulty session, send it to the malicious server and skip the verification of the server's certificate.
node to version 12.18.0, 14.4.0, 10.21.0 or higher.