CVE-2021-21374: 
Nim vulnerability analysis and mitigation

Nimble, the package manager for the Nim programming language, contained a critical security vulnerability (CVE-2021-21374) where it failed to properly validate SSL/TLS certificates due to insecure httpClient defaults. The vulnerability was discovered in February 2021 and affected Nim versions prior to 1.4.4, with patches released in versions 1.2.10 and 1.4.4 (Consensys Diligence).

The vulnerability stemmed from the httpClient component in Nim's standard library, which by default set up an insecure SSL/TLS context by specifying verifyMode = CVerifyNone. This configuration caused the library to trust all certificates by default as long as the CN/SAN matched the request host, without proper certificate validation. The issue particularly affected Nimble's package management functionality when fetching package metadata from GitHub (Consensys Diligence).

An attacker capable of performing a Man-in-the-Middle (MitM) attack could exploit this vulnerability to deliver modified package lists containing malicious software packages. If these compromised packages were installed and used, the attack could escalate to untrusted code execution on the target system (GitHub Advisory).

The issue was addressed in Nim versions 1.2.10 and 1.4.4 by implementing proper certificate validation in the httpClient component. Users were advised to upgrade to these patched versions to protect against potential attacks (GitHub Advisory).

The vulnerability was initially reported by security researcher tintinweb and was assigned a CVSS score of 8.1 (High severity). The Nim development team responded by implementing fixes in both the 1.2.x and 1.4.x release branches (GitHub Advisory).