Vulnerability Report

CVE-2022-3602

RCE

Title: Nodejs Node.Js RCE

Memory Corruption

Proof Of Concept

PoC Available for CVE-2022-3602

CWE Category CWE-787

Published Date Nov 01, 2022

Modified Date Apr 14, 2026

Exploit Status Available

Score 7.5 CVSS v3.1

Exploit Probability (EPSS)

83.51%

Vulnerability Summary

CVE-2022-3602: A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).

Impacted Vendors

Reference Links

http://packetstormsecurity.com/files/169687/OpenSSL-Security-Advisory-20221101.html http://www.openwall.com/lists/oss-security/2022/11/01/15 http://www.openwall.com/lists/oss-security/2022/11/01/16 http://www.openwall.com/lists/oss-security/2022/11/01/17 http://www.openwall.com/lists/oss-security/2022/11/01/18 http://www.openwall.com/lists/oss-security/2022/11/01/19 http://www.openwall.com/lists/oss-security/2022/11/01/20 http://www.openwall.com/lists/oss-security/2022/11/01/21 http://www.openwall.com/lists/oss-security/2022/11/01/24 http://www.openwall.com/lists/oss-security/2022/11/02/1 http://www.openwall.com/lists/oss-security/2022/11/02/10 http://www.openwall.com/lists/oss-security/2022/11/02/11 http://www.openwall.com/lists/oss-security/2022/11/02/12 http://www.openwall.com/lists/oss-security/2022/11/02/13 http://www.openwall.com/lists/oss-security/2022/11/02/14 http://www.openwall.com/lists/oss-security/2022/11/02/15 http://www.openwall.com/lists/oss-security/2022/11/02/2 http://www.openwall.com/lists/oss-security/2022/11/02/3 http://www.openwall.com/lists/oss-security/2022/11/02/5 http://www.openwall.com/lists/oss-security/2022/11/02/6 http://www.openwall.com/lists/oss-security/2022/11/02/7 http://www.openwall.com/lists/oss-security/2022/11/02/9 http://www.openwall.com/lists/oss-security/2022/11/03/1 http://www.openwall.com/lists/oss-security/2022/11/03/10 http://www.openwall.com/lists/oss-security/2022/11/03/11 http://www.openwall.com/lists/oss-security/2022/11/03/2 http://www.openwall.com/lists/oss-security/2022/11/03/3 http://www.openwall.com/lists/oss-security/2022/11/03/5 http://www.openwall.com/lists/oss-security/2022/11/03/6 http://www.openwall.com/lists/oss-security/2022/11/03/7 http://www.openwall.com/lists/oss-security/2022/11/03/9 https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fe3b639dc19b325846f4f6801f2f4604f56e3de3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63YRPWPUSX3MBHNPIEJZDKQT6YA7UF6S/ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DWP23EZYOBDJQP7HP4YU7W2ABU2YDITS/ https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0023 https://security.gentoo.org/glsa/202211-01 https://security.netapp.com/advisory/ntap-20221102-0001/ https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a https://www.kb.cert.org/vuls/id/794340 https://www.openssl.org/news/secadv/20221101.txt http://packetstormsecurity.com/files/169687/OpenSSL-Security-Advisory-20221101.html http://www.openwall.com/lists/oss-security/2022/11/01/15 http://www.openwall.com/lists/oss-security/2022/11/01/16 http://www.openwall.com/lists/oss-security/2022/11/01/17 http://www.openwall.com/lists/oss-security/2022/11/01/18 http://www.openwall.com/lists/oss-security/2022/11/01/19 http://www.openwall.com/lists/oss-security/2022/11/01/20 http://www.openwall.com/lists/oss-security/2022/11/01/21 http://www.openwall.com/lists/oss-security/2022/11/01/24 http://www.openwall.com/lists/oss-security/2022/11/02/1 http://www.openwall.com/lists/oss-security/2022/11/02/10 http://www.openwall.com/lists/oss-security/2022/11/02/11 http://www.openwall.com/lists/oss-security/2022/11/02/12 http://www.openwall.com/lists/oss-security/2022/11/02/13 http://www.openwall.com/lists/oss-security/2022/11/02/14 http://www.openwall.com/lists/oss-security/2022/11/02/15 http://www.openwall.com/lists/oss-security/2022/11/02/2 http://www.openwall.com/lists/oss-security/2022/11/02/3 http://www.openwall.com/lists/oss-security/2022/11/02/5 http://www.openwall.com/lists/oss-security/2022/11/02/6 http://www.openwall.com/lists/oss-security/2022/11/02/7 http://www.openwall.com/lists/oss-security/2022/11/02/9 http://www.openwall.com/lists/oss-security/2022/11/03/1 http://www.openwall.com/lists/oss-security/2022/11/03/10 http://www.openwall.com/lists/oss-security/2022/11/03/11 http://www.openwall.com/lists/oss-security/2022/11/03/2 http://www.openwall.com/lists/oss-security/2022/11/03/3 http://www.openwall.com/lists/oss-security/2022/11/03/5 http://www.openwall.com/lists/oss-security/2022/11/03/6 http://www.openwall.com/lists/oss-security/2022/11/03/7 http://www.openwall.com/lists/oss-security/2022/11/03/9 https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fe3b639dc19b325846f4f6801f2f4604f56e3de3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63YRPWPUSX3MBHNPIEJZDKQT6YA7UF6S/ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DWP23EZYOBDJQP7HP4YU7W2ABU2YDITS/ https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0023 https://security.gentoo.org/glsa/202211-01 https://security.netapp.com/advisory/ntap-20221102-0001/ https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00789.html https://www.kb.cert.org/vuls/id/794340 https://www.openssl.org/news/secadv/20221101.txt

CVSS v3.1

Source Entity [email protected]

Severity HIGH

7.5

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v3.1

Source Entity 134c704f-9b21-4f2e-91b3-4a467353bcc0

Severity HIGH

7.5

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2022-3602 Exploits & PoCs (Proof Of Concept)

GitHub https://github.com/NCSC-NL/OpenSSL-2022

View Code

GitHub https://github.com/colmmacc/CVE-2022-3602

View Code

GitHub https://github.com/rbowes-r7/cve-2022-3602-and-cve-2022-3786-openssl-poc

View Code

April 14, 2026 MODIFIED

Vulnerability data updated via NVD.

November 04, 2025 MODIFIED

Vulnerability data or affected products updated.

November 01, 2022 PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector NETWORK

Complexity LOW

Privileges N/A

Interaction NONE

CVSS Vector String


                                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Stack

No specific products linked.