Description
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
Recommendation
Update the xmlhttprequest-ssl package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.6.1
- Patched version(s): 1.6.1
References
- GHSA-72mh-269x-7mh5
- people.kingsds.network
- security.netapp.com
- CVE-2021-31597
- CWE-295
- CAPEC-310
- OWASP 2021-A6
- OWASP 2021-A7
Related Issues
- Improper Input Validation in sanitize-html - CVE-2021-26539
- Improper Input Validation in sanitize-html (GHSA-mjxr-4v3x-q3m4) - CVE-2021-26540
- xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection - CVE-2020-28502
- Improper Validation and Sanitization in url-parse - CVE-2020-8124
- Tags:
- npm
- xmlhttprequest-ssl
Anything's wrong? Let us know Last updated on November 29, 2023