Ayms node-To master exposes TLS traffic

Patch now - CVE-2025-70043 is a critical TLS certificate validation bypass in Ayms node-To master that grants man-in-the-middle attackers full decryption and injection of HTTPS traffic. Disabling all identity checks on connections, this flaw exposes credentials and data to interception.

Overview

A critical security vulnerability has been identified in Ayms node-To master. The flaw involves the improper disabling of Transport Layer Security (TLS) certificate validation, allowing connections to potentially malicious servers.

Vulnerability Explained

In simple terms, this vulnerability weakens a fundamental security check for encrypted internet connections. When software communicates securely (using HTTPS or similar protocols), it must verify the identity of the server it’s connecting to using a digital certificate. This is like checking an ID card before sharing a secret.

The affected application explicitly disables this vital check by setting rejectUnauthorized: false in its code. This means the application will establish “secure” connections to any server, even if that server presents a fake, expired, or otherwise invalid certificate. It essentially trusts all connections without verification.

Potential Impact

The impact of this vulnerability is severe. By disabling certificate validation, the application is vulnerable to Man-in-the-Middle (MitM) attacks. An attacker positioned between the application and the server it is trying to connect to can:

• Intercept and decrypt all sensitive data transmitted (such as login credentials, API keys, and personal information).
• Inject malicious code or responses into the data stream.
• Impersonate legitimate services to steal information or distribute malware.

Given that this flaw undermines the core of TLS encryption, it receives a Critical severity rating with a CVSS score of 9.1.

Remediation and Mitigation

Immediate action is required to address this vulnerability.

Primary Remediation: The only complete fix is to update the application to a patched version provided by the vendor. Once available, apply the update immediately. The patch will remove the rejectUnauthorized: false setting, ensuring proper certificate validation is enforced.

Immediate Mitigation Steps (if a patch is not yet available):

1. Assess Risk: Identify all systems running the vulnerable version of Ayms node-To master. Determine what data the application processes and what external services it connects to.
2. Network Controls: If possible, isolate affected systems within the network to limit the potential attack surface. Restrict outbound connections from these systems to only known, necessary destinations using firewall rules.
3. Monitor for Updates: Contact the software vendor for an official timeline for a security patch and monitor their security advisories closely.

Important Note: Do not attempt to modify the application code yourself unless you are the maintainer. The setting must be correctly removed and the application properly tested to ensure functionality is maintained with validation enabled.