CVE-2021-22939 Overview
CVE-2021-22939 is a certificate validation bypass vulnerability in Node.js that occurs when the HTTPS API is used incorrectly. When undefined is passed for the rejectUnauthorized parameter, no error is returned and connections to servers with expired certificates are silently accepted. This improper certificate validation (CWE-295) allows attackers to potentially perform man-in-the-middle attacks against applications that inadvertently misconfigure their HTTPS connections.
Critical Impact
Applications using the Node.js HTTPS API with improperly configured certificate validation may accept connections to servers with expired or invalid certificates, potentially exposing sensitive data to interception.
Affected Products
- Node.js (multiple LTS versions)
- Oracle GraalVM Enterprise Edition (20.3.3, 21.2.0)
- Oracle JD Edwards EnterpriseOne Tools
- Oracle MySQL Cluster
- Oracle PeopleSoft Enterprise PeopleTools (8.57, 8.58, 8.59)
- NetApp NextGen API
- Siemens SINEC Infrastructure Network Services
- Debian Linux 10.0
Discovery Timeline
- August 16, 2021 - CVE-2021-22939 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-22939
Vulnerability Analysis
This vulnerability stems from improper handling of the rejectUnauthorized parameter in Node.js HTTPS connections. The rejectUnauthorized option is a critical security parameter that determines whether the client should verify the server's SSL/TLS certificate. When properly set to true (or omitted, as true is the default), Node.js rejects connections to servers presenting invalid, self-signed, or expired certificates.
The flaw occurs when developers inadvertently pass undefined as the value for rejectUnauthorized. Rather than treating this as an invalid configuration and throwing an error, or defaulting to the secure behavior, Node.js silently accepts the undefined value and proceeds without proper certificate validation. This creates a dangerous situation where TLS security is effectively disabled without any warning to the developer.
Root Cause
The root cause is insufficient input validation in the Node.js HTTPS API when processing the rejectUnauthorized configuration option. The API fails to distinguish between an explicitly set false value (intentional bypass) and an undefined value (likely unintentional misconfiguration). This permissive handling means that a coding error—such as reading a configuration value that doesn't exist—can silently disable certificate validation.
Attack Vector
An attacker who can position themselves in a network path between a vulnerable Node.js application and its intended server can exploit this vulnerability to perform man-in-the-middle (MITM) attacks. The attack scenario involves:
- The attacker intercepts network traffic between the Node.js client and the legitimate server
- The attacker presents an expired, self-signed, or otherwise invalid certificate
- Due to the misconfigured rejectUnauthorized parameter, the Node.js application accepts the invalid certificate
- The attacker can now intercept, read, and modify all data transmitted between the client and server
This vulnerability is exploitable remotely over the network and requires no authentication or user interaction, though successful exploitation depends on the attacker's ability to intercept network traffic.
The vulnerability manifests when applications construct HTTPS options objects dynamically and may inadvertently pass undefined for the rejectUnauthorized field. For example, reading a configuration value that doesn't exist or has not been properly initialized can result in this condition. Developers should ensure that rejectUnauthorized is explicitly set to a boolean value, preferably true, in all production environments. For detailed technical information, see the Node.js Security Vulnerability Blog and HackerOne Report #1278254.
Detection Methods for CVE-2021-22939
Indicators of Compromise
- Outbound HTTPS connections from Node.js applications accepting certificates that should have been rejected (expired, self-signed, or invalid chain)
- Network traffic analysis showing TLS connections established with servers presenting certificate errors
- Application logs indicating successful connections to endpoints where certificate warnings would normally be expected
Detection Strategies
- Perform static code analysis to identify instances where rejectUnauthorized may be set to undefined or is dynamically assigned without proper validation
- Implement runtime monitoring to detect HTTPS connections that proceed despite certificate validation failures
- Review application configuration management to ensure all security-sensitive parameters are explicitly defined
- Use network monitoring tools to identify TLS connections to servers with certificate issues
Monitoring Recommendations
- Enable detailed TLS/SSL logging in Node.js applications to capture certificate validation decisions
- Monitor for connections to IP addresses or domains with known certificate issues
- Implement alerts for HTTPS connections where certificate chain validation would normally fail
- Review application dependencies and ensure all Node.js installations are updated to patched versions
How to Mitigate CVE-2021-22939
Immediate Actions Required
- Update Node.js to the latest patched version as specified in the Node.js August 2021 Security Releases
- Audit all application code for instances where rejectUnauthorized is dynamically set or may receive undefined values
- Explicitly set rejectUnauthorized: true in all production HTTPS configurations to ensure secure defaults
- Review third-party dependencies that may use Node.js HTTPS API with potentially vulnerable configurations
Patch Information
Node.js released security patches addressing this vulnerability in August 2021. Updates are available for multiple affected Node.js LTS branches. Consult the Node.js Security Vulnerability Blog for specific version information and download links.
For Oracle products, refer to the following Critical Patch Updates:
- Oracle Critical Patch Update October 2021
- Oracle Critical Patch Update January 2022
- Oracle Critical Patch Update July 2022
For Siemens products, refer to the Siemens Security Advisory SSA-389290.
Workarounds
- Ensure rejectUnauthorized is always explicitly set to true in production code rather than relying on defaults or dynamic configuration
- Implement TypeScript or ESLint rules to flag code patterns where rejectUnauthorized may receive non-boolean values
- Add runtime assertions to validate that TLS options contain expected security parameters before making HTTPS connections
- Use environment variable validation to ensure security-critical configuration values are properly defined at application startup
# Example: Verify Node.js version includes security patch
node --version
# Ensure version is at minimum:
# - 16.6.2 for Node.js 16.x
# - 14.17.5 for Node.js 14.x LTS
# - 12.22.5 for Node.js 12.x LTS
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
