CVE-2021-44533: 
MySQL vulnerability analysis and mitigation

Node.js versions < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 contained a vulnerability in handling multi-value Relative Distinguished Names. The vulnerability was discovered and reported by Google, with patches released in January 2022 (NodeJS Blog).

The vulnerability stems from incorrect handling of multi-value Relative Distinguished Names in certificate subject verification. Affected versions of Node.js did not handle these names correctly, which could lead to ambiguous presentation of certificate subjects. While the affected Node.js versions themselves do not accept multi-value Relative Distinguished Names and are thus not directly vulnerable, third-party code using node's ambiguous presentation of certificate subjects may be vulnerable (NVD). The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

Attackers could potentially craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name. This could be used to inject a Common Name that would allow bypassing the certificate subject verification (NodeJS Blog).

The vulnerability has been fixed in Node.js versions 12.22.9, 14.18.3, 16.13.2, and 17.3.1. Users should upgrade to these or later versions to address the vulnerability (NodeJS Blog).