CVE-2022-31183

CRITICAL

fs2-io < - SSL Verification Bypass

Title source: llm
STIX 2.1

Description

fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent. 2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API. 3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s. It was introduced with the initial Node.js implementation of fs2-io in 3.1.0. A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised. If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection.

References (3)

Core 3
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/nodejs/node/issues/43994

Scores

CVSS v3 9.1
EPSS 0.0063
EPSS Percentile 45.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-295
Status published
Products (7)
co.fs2/fs2-io 3.1.0 - 3.2.11Maven
co.fs2/fs2-io_2.12 3.1.0 - 3.2.11Maven
co.fs2/fs2-io_2.13 3.1.0 - 3.2.11Maven
co.fs2/fs2-io_3 3.1.0 - 3.2.11Maven
co.fs2/fs2-io_sjs1_2.13 3.1.0 - 3.2.11Maven
co.fs2/fs2-io_sjs1_3 3.1.0 - 3.2.11Maven
typelevel/fs2 3.1.0 - 3.2.11
Published Aug 01, 2022
Tracked Since Feb 18, 2026