Summary
The vulnerability in the OpenSSL Security Advisory of Dec 13 2022 do not affect any active Node.js release lines.
Analysis
Our assessment of the security advisory is:
X.509 Policy Constraints Double Locking (CVE-2022-3996)
Node.js doesn’t call OpenSSL as a separate process (so the possibility to use the
1 | -policy |
flag is invalid), nor call
the functions
1 | X509_VERIFY_PARAM_add0_policy()' and |
X509_VERIFY_PARAM_set1_policies()’.
Therefore, Node.js is not affected by this vulnerability.
Contact and future updates
The current Node.js security policy can be found at https://github.com/nodejs/node/blob/HEAD/SECURITY.md#security,
including information on how to report a vulnerability in Node.js.
Subscribe to the low-volume announcement-only nodejs-sec mailing list at
https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on
security vulnerabilities and security-related releases of Node.js and the
projects maintained in the
nodejs GitHub organization.
0 Comments