CVE-2022-31183 (GCVE-0-2022-31183)

Vulnerability from cvelistv5 – Published: 2022-08-01 19:50 – Updated: 2025-04-22 17:45
VLAI?
Summary
fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent. 2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API. 3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s. It was introduced with the initial Node.js implementation of fs2-io in 3.1.0. A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised. If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection.
Severity ?
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE
  • CWE-295 - Improper Certificate Validation
Assigner
References
Impacted products
Vendor Product Version
typelevel fs2 Affected: >= 3.1.0, < 3.2.11
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:11:39.653Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/typelevel/fs2/security/advisories/GHSA-2cpx-6pqp-wf35"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/nodejs/node/issues/43994"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/typelevel/fs2/commit/659824395826a314e0a4331535dbf1ef8bef8207"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-31183",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-22T15:37:11.291758Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-22T17:45:55.210Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "fs2",
          "vendor": "typelevel",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.1.0, \u003c 3.2.11"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent. 2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API. 3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s. It was introduced with the initial Node.js implementation of fs2-io in 3.1.0. A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised. If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "CWE-295: Improper Certificate Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-01T19:50:11.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/typelevel/fs2/security/advisories/GHSA-2cpx-6pqp-wf35"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nodejs/node/issues/43994"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/typelevel/fs2/commit/659824395826a314e0a4331535dbf1ef8bef8207"
        }
      ],
      "source": {
        "advisory": "GHSA-2cpx-6pqp-wf35",
        "discovery": "UNKNOWN"
      },
      "title": "mTLS client verification is skipped in fs2 on Node.js",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-31183",
          "STATE": "PUBLIC",
          "TITLE": "mTLS client verification is skipped in fs2 on Node.js"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "fs2",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 3.1.0, \u003c 3.2.11"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "typelevel"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent. 2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API. 3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s. It was introduced with the initial Node.js implementation of fs2-io in 3.1.0. A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised. If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-295: Improper Certificate Validation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/typelevel/fs2/security/advisories/GHSA-2cpx-6pqp-wf35",
              "refsource": "CONFIRM",
              "url": "https://github.com/typelevel/fs2/security/advisories/GHSA-2cpx-6pqp-wf35"
            },
            {
              "name": "https://github.com/nodejs/node/issues/43994",
              "refsource": "MISC",
              "url": "https://github.com/nodejs/node/issues/43994"
            },
            {
              "name": "https://github.com/typelevel/fs2/commit/659824395826a314e0a4331535dbf1ef8bef8207",
              "refsource": "MISC",
              "url": "https://github.com/typelevel/fs2/commit/659824395826a314e0a4331535dbf1ef8bef8207"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-2cpx-6pqp-wf35",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-31183",
    "datePublished": "2022-08-01T19:50:11.000Z",
    "dateReserved": "2022-05-18T00:00:00.000Z",
    "dateUpdated": "2025-04-22T17:45:55.210Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:fs2:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"3.1.0\", \"versionEndExcluding\": \"3.2.11\", \"matchCriteriaId\": \"750D10F3-1FF8-4173-A44A-ACDE06641472\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent. 2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API. 3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s. It was introduced with the initial Node.js implementation of fs2-io in 3.1.0. A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised. If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection.\"}, {\"lang\": \"es\", \"value\": \"fs2 es una librer\\u00eda de E/S de composici\\u00f3n para Scala. Cuando es establecido un \\\"TLSSocket\\\" en modo servidor usando \\\"fs2-io\\\" en Node.js, el par\\u00e1metro \\\"requestCert = true\\\" es ignorado, la verificaci\\u00f3n del certificado del compa\\u00f1ero es omitida, y la conexi\\u00f3n procede. La vulnerabilidad es limitada a: 1. \\\"fs2-io\\\" corriendo en Node.js. La implementaci\\u00f3n de TLS en la JVM es completamente independiente. 2. \\\"TLSSocket\\\"s en modo servidor. Los \\\"TLSSocket\\\" en modo cliente es implementado por medio de una API diferente. 3. mTLS est\\u00e1 habilitado por medio de \\\"requestCert = true\\\" en \\\"TLSParameters\\\". La configuraci\\u00f3n por defecto es \\\"false\\\" para los \\\"TLSSocket\\\" en modo servidor. Es introducida con la implementaci\\u00f3n inicial de Node.js de fs2-io en la versi\\u00f3n 3.1.0. Ha sido publicado un parche en la versi\\u00f3n 3.2.11. Es respetado el par\\u00e1metro requestCert = true y es verificado el certificado del compa\\u00f1ero. Si la verificaci\\u00f3n falla, es lanzada una SSLException. Si es usada una versi\\u00f3n sin parche en Node.js, no debe usarse un TLSSocket en modo servidor con requestCert = true para establecer una conexi\\u00f3n mTLS\"}]",
      "id": "CVE-2022-31183",
      "lastModified": "2024-11-21T07:04:04.403",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"baseScore\": 9.1, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.2}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
      "published": "2022-08-01T20:15:08.410",
      "references": "[{\"url\": \"https://github.com/nodejs/node/issues/43994\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/typelevel/fs2/commit/659824395826a314e0a4331535dbf1ef8bef8207\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/typelevel/fs2/security/advisories/GHSA-2cpx-6pqp-wf35\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/nodejs/node/issues/43994\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/typelevel/fs2/commit/659824395826a314e0a4331535dbf1ef8bef8207\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/typelevel/fs2/security/advisories/GHSA-2cpx-6pqp-wf35\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-295\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-31183\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-08-01T20:15:08.410\",\"lastModified\":\"2024-11-21T07:04:04.403\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent. 2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API. 3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s. It was introduced with the initial Node.js implementation of fs2-io in 3.1.0. A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised. If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection.\"},{\"lang\":\"es\",\"value\":\"fs2 es una librer\u00eda de E/S de composici\u00f3n para Scala. Cuando es establecido un \\\"TLSSocket\\\" en modo servidor usando \\\"fs2-io\\\" en Node.js, el par\u00e1metro \\\"requestCert = true\\\" es ignorado, la verificaci\u00f3n del certificado del compa\u00f1ero es omitida, y la conexi\u00f3n procede. La vulnerabilidad es limitada a: 1. \\\"fs2-io\\\" corriendo en Node.js. La implementaci\u00f3n de TLS en la JVM es completamente independiente. 2. \\\"TLSSocket\\\"s en modo servidor. Los \\\"TLSSocket\\\" en modo cliente es implementado por medio de una API diferente. 3. mTLS est\u00e1 habilitado por medio de \\\"requestCert = true\\\" en \\\"TLSParameters\\\". La configuraci\u00f3n por defecto es \\\"false\\\" para los \\\"TLSSocket\\\" en modo servidor. Es introducida con la implementaci\u00f3n inicial de Node.js de fs2-io en la versi\u00f3n 3.1.0. Ha sido publicado un parche en la versi\u00f3n 3.2.11. Es respetado el par\u00e1metro requestCert = true y es verificado el certificado del compa\u00f1ero. Si la verificaci\u00f3n falla, es lanzada una SSLException. Si es usada una versi\u00f3n sin parche en Node.js, no debe usarse un TLSSocket en modo servidor con requestCert = true para establecer una conexi\u00f3n mTLS\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:fs2:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.1.0\",\"versionEndExcluding\":\"3.2.11\",\"matchCriteriaId\":\"750D10F3-1FF8-4173-A44A-ACDE06641472\"}]}]}],\"references\":[{\"url\":\"https://github.com/nodejs/node/issues/43994\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/typelevel/fs2/commit/659824395826a314e0a4331535dbf1ef8bef8207\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/typelevel/fs2/security/advisories/GHSA-2cpx-6pqp-wf35\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/nodejs/node/issues/43994\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/typelevel/fs2/commit/659824395826a314e0a4331535dbf1ef8bef8207\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/typelevel/fs2/security/advisories/GHSA-2cpx-6pqp-wf35\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/typelevel/fs2/security/advisories/GHSA-2cpx-6pqp-wf35\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/nodejs/node/issues/43994\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/typelevel/fs2/commit/659824395826a314e0a4331535dbf1ef8bef8207\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T07:11:39.653Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-31183\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-22T15:37:11.291758Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-22T15:37:13.083Z\"}}], \"cna\": {\"title\": \"mTLS client verification is skipped in fs2 on Node.js\", \"source\": {\"advisory\": \"GHSA-2cpx-6pqp-wf35\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"typelevel\", \"product\": \"fs2\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 3.1.0, \u003c 3.2.11\"}]}], \"references\": [{\"url\": \"https://github.com/typelevel/fs2/security/advisories/GHSA-2cpx-6pqp-wf35\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/nodejs/node/issues/43994\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/typelevel/fs2/commit/659824395826a314e0a4331535dbf1ef8bef8207\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent. 2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API. 3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s. It was introduced with the initial Node.js implementation of fs2-io in 3.1.0. A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised. If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-295\", \"description\": \"CWE-295: Improper Certificate Validation\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-08-01T19:50:11.000Z\"}, \"x_legacyV4Record\": {\"impact\": {\"cvss\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, \"source\": {\"advisory\": \"GHSA-2cpx-6pqp-wf35\", \"discovery\": \"UNKNOWN\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"\u003e= 3.1.0, \u003c 3.2.11\"}]}, \"product_name\": \"fs2\"}]}, \"vendor_name\": \"typelevel\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://github.com/typelevel/fs2/security/advisories/GHSA-2cpx-6pqp-wf35\", \"name\": \"https://github.com/typelevel/fs2/security/advisories/GHSA-2cpx-6pqp-wf35\", \"refsource\": \"CONFIRM\"}, {\"url\": \"https://github.com/nodejs/node/issues/43994\", \"name\": \"https://github.com/nodejs/node/issues/43994\", \"refsource\": \"MISC\"}, {\"url\": \"https://github.com/typelevel/fs2/commit/659824395826a314e0a4331535dbf1ef8bef8207\", \"name\": \"https://github.com/typelevel/fs2/commit/659824395826a314e0a4331535dbf1ef8bef8207\", \"refsource\": \"MISC\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent. 2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API. 3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s. It was introduced with the initial Node.js implementation of fs2-io in 3.1.0. A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised. If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-295: Improper Certificate Validation\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2022-31183\", \"STATE\": \"PUBLIC\", \"TITLE\": \"mTLS client verification is skipped in fs2 on Node.js\", \"ASSIGNER\": \"security-advisories@github.com\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-31183\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-22T17:45:55.210Z\", \"dateReserved\": \"2022-05-18T00:00:00.000Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2022-08-01T19:50:11.000Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.