A critical improper certificate validation vulnerability in Ayms node-To master allows attackers to intercept and modify sensitive encrypted traffic via Man-in-the-Middle attacks.

This vulnerability (CWE-295) occurs because the application explicitly disables TLS certificate validation. By setting the rejectUnauthorized option to false in TLS socket configurations, the software will accept any certificate, including self-signed or fraudulent ones.

The failure to validate certificates renders encrypted communications useless against an active interceptor. This can lead to the theft of credentials, session tokens, and sensitive data transmitted by the application. The CVSS score of 9.1 reflects the high risk to data confidentiality and integrity.

Immediate Action: Update node-To master to a version that correctly enforces TLS certificate validation by enabling rejectUnauthorized.

Proactive Monitoring: Inspect network traffic for unusual certificate chains and monitor for unauthorized access to accounts linked to this application.

Compensating Controls: Use network-level security measures, such as VPNs or dedicated encrypted tunnels, to protect traffic if the application cannot be immediately updated.

Public Exploit Available: false

Disabling certificate validation is a dangerous practice that exposes all user data to interception. It is imperative to update the software immediately and ensure that all production environments enforce strict SSL/TLS validation.