Insufficient Hostname Verification Affecting node package, versions [12.0.0,12.18.0) [14.0.0,14.4.0) [10.0.0,10.21.0)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-UPSTREAM-NODE-570869
- published 2 Jun 2020
- disclosed 2 Jun 2020
- credit Fedor Indutny
Introduced: 2 Jun 2020
CVE-2020-8172 Open this link in a new tabHow to fix?
Upgrade node to version 12.18.0, 14.4.0, 10.21.0 or higher.
Overview
node is a JavaScript runtime built on Chrome's V8 JavaScript engine.
Affected versions of this package are vulnerable to Insufficient Hostname Verification. TLS session reuse can lead to host certificate verification bypass.
session event is emitted after secure event on TLSSocket, but before secureConnect event. This is problematic for https.Agent because it must cache session only after verifying the remote peer's certificate.
Connecting to a server that presents an invalid certificate resulted in the session being cached after the handshake with the server and evicted right after a certifiate validation error and socket's destruction. A request initiated during this narrow window would pick the faulty session, send it to the malicious server and skip the verification of the server's certificate.