Description
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
Recommendation
Update the xmlhttprequest-ssl package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.6.1
- Patched version(s): 1.6.1
References
- GHSA-72mh-269x-7mh5
- people.kingsds.network
- security.netapp.com
- CVE-2021-31597
- CWE-295
- CAPEC-310
- OWASP 2021-A6
- OWASP 2021-A7
Related Issues
- xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection - CVE-2020-28502
- Improper Input Validation in sanitize-html (GHSA-mjxr-4v3x-q3m4) - CVE-2021-26540
- Improper Input Validation in sanitize-html - CVE-2021-26539
- Improper Neutralization of Input in Theia console - CVE-2021-28161
- Tags:
- npm
- xmlhttprequest-ssl
Anything's wrong? Let us know Last updated on November 29, 2023