Improper Certificate Validation Affecting node package, versions [16.0.0,16.20.1) [18.0.0,18.16.1) [20.0.0,20.3.1)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-UPSTREAM-NODE-5741892
- published 30 Mar 2023
- disclosed 28 Mar 2023
- credit David Benjamin
Introduced: 28 Mar 2023
CVE-2023-0466 Open this link in a new tabHow to fix?
Upgrade node
to version 16.20.1, 18.16.1, 20.3.1 or higher.
Overview
node is a JavaScript runtime built on Chrome's V8 JavaScript engine.
Affected versions of this package are vulnerable to Improper Certificate Validation because the implementation of the X509_VERIFY_PARAM_add0_policy()
function does not enable certificate policy check, it allows certificates with invalid or incorrect policies to pass the certificate verification.
Note:
Since enabling the policy check could break existing deployments, it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()
function.
Applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies()
or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags()
with the X509_V_FLAG_POLICY_CHECK
flag argument.