Vulnerability Details : CVE-2022-31183
fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent. 2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API. 3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s. It was introduced with the initial Node.js implementation of fs2-io in 3.1.0. A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised. If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection.
Products affected by CVE-2022-31183
- cpe:2.3:a:typelevel:fs2:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-31183
0.27%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 68 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-31183
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
9.1
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
3.9
|
5.2
|
GitHub, Inc. |
CWE ids for CVE-2022-31183
-
The product does not validate, or incorrectly validates, a certificate.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-31183
-
https://github.com/nodejs/node/issues/43994
How to use `new tls.TLSSocket(...)` to establish a secure connection? · Issue #43994 · nodejs/node · GitHubExploit;Issue Tracking;Third Party Advisory
-
https://github.com/typelevel/fs2/commit/659824395826a314e0a4331535dbf1ef8bef8207
First attempt at test for GHSA-2cpx-6pqp-wf35 · typelevel/fs2@6598243 · GitHubPatch;Third Party Advisory
-
https://github.com/typelevel/fs2/security/advisories/GHSA-2cpx-6pqp-wf35
mTLS client verification is skipped in Node.js TLS server · Advisory · typelevel/fs2 · GitHubThird Party Advisory
Jump to