Skip to content

Nim stdlib httpClient does not validate peer certificates by default

Moderate
FedericoCeratto published GHSA-9vqv-2jj9-7mqr May 7, 2021

Package

Nim (Nim)

Affected versions

< 1.4.2

Patched versions

1.4.2

Description

In Nim standard library httpClient SSL/TLS certificate verification was disabled by default.
The behavior was documented at https://nim-lang.org/docs/net.html

Workarounds

Set "verifyMode = CVerifyPeer" as documented

References

https://nim-lang.org/blog/2020/04/03/version-120-released.html
nim-lang/Nim#782
https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/

Severity

Moderate
5.9
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE ID

CVE-2021-29495

Weaknesses