Vulnerability DatabaseCVE-2021-40830

CVE-2021-40830:
JavaScript vulnerability analysis and mitigation

Overview

The AWS IoT Device SDK v2 for Java, Python, C++, and Node.js contains a vulnerability (CVE-2021-40830) where the SDK appends a user-supplied Certificate Authority (CA) to the root CAs instead of properly validating it. This vulnerability affects multiple SDK versions including Java SDK up to version 1.5.0, Node.js SDK up to version 1.5.3, Python SDK up to version 1.6.1, and C++ SDK up to version 1.12.7 (NVD).

Technical details

The vulnerability is classified with a CVSS v3.1 score indicating high severity with the following metrics: Attack Vector: Adjacent Network, Attack Complexity: Low, Privileges Required: None, User Interaction: None, Scope: Unchanged, and Impact: High for Confidentiality, Integrity, and Availability. The vulnerability is categorized as CWE-295, which relates to improper certificate validation (NVD).

Impact

The improper handling of Certificate Authority validation could potentially allow attackers to perform man-in-the-middle attacks by injecting malicious certificates, potentially compromising the confidentiality and integrity of communications between IoT devices and AWS services (NVD).

Mitigation and workarounds

Users should update to the fixed versions of the affected SDKs: Java SDK version 1.5.0 or later, Node.js SDK version 1.5.3 or later, Python SDK version 1.6.1 or later, and C++ SDK version 1.12.7 or later (NVD).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

8.8

Score

Published November 23, 2021

Severity HIGH

CNA Score 6.3

Affected Technologies

JavaScript
Java

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 28.8

Exploitation Probability (EPSS) 0.1

Affected packages and libraries

aws-iot-device-sdk-v2
awsiotsdk

Sources

NVD
GitHub Advisory Database
- Maven Severity HIGHHas FixAdded at: Nov 25, 2021
- npm Severity HIGHHas FixAdded at: Nov 25, 2021
- pip Severity HIGHHas FixAdded at: Nov 25, 2021

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related JavaScript vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-22787	HIGH	8.7	JavaScript	html2pdf.js	No	Yes	Jan 14, 2026
CVE-2026-22820	MEDIUM	6.3	JavaScript	outray	No	Yes	Jan 14, 2026
CVE-2026-22819	MEDIUM	5.9	JavaScript	outray	No	Yes	Jan 14, 2026
CVE-2026-22036	LOW	3.7	JavaScript	node-undici	No	Yes	Jan 14, 2026
GHSA-73rr-hh4g-fpgx	LOW	N/A	JavaScript	diff	No	Yes	Jan 14, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2021-40830: JavaScript vulnerability analysis and mitigation