If the Node.js https API in versions before 16.6.2, 14.17.5 and 12.22.5 was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
If the Node.js https API in versions before 16.6.2, 14.17.5 and 12.22.5 was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/#incomplete-validation-of-rejectunauthorized-parameter-low-cve-2021-22939 https://hackerone.com/reports/1278254 https://github.com/nodejs-private/node-private/pull/276 https://github.com/nodejs/node/commit/6c7fff6f1d53dfb6c2b184ee41809b8d7614cb80 https://github.com/nodejs/node/commit/35b86110e45083a75d7dc8e6be5a930b262494f6 https://github.com/nodejs/node/commit/1780bbc3291357f7c3370892eb311fc7a62afe8d