CVE-2021-22939: 
npm vulnerability analysis and mitigation

If the Node.js https API was used incorrectly and "undefined" was passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. This vulnerability affects all versions of Node.js 12.x prior to 12.22.5, 14.x prior to 14.17.5, and 16.x prior to 16.6.2 (Node.js Blog).

The vulnerability is related to improper certificate validation (CWE-295) in the Node.js HTTPS API. When "undefined" is passed as the value for the "rejectUnauthorized" parameter, the API fails to properly validate expired certificates, allowing connections that should be rejected. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) (NVD).

A successful exploitation of this vulnerability could allow an attacker to establish connections to servers with expired certificates, potentially leading to man-in-the-middle attacks and compromising the security of HTTPS connections (Node.js Blog).

The vulnerability has been fixed in Node.js versions 12.22.5, 14.17.5, and 16.6.2. Users should upgrade to these or later versions. The fix ensures proper validation of certificates even when "undefined" is passed as the rejectUnauthorized parameter (Node.js Blog).