Description
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
Recommendation
Update the xmlhttprequest-ssl package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.6.1
- Patched version(s): 1.6.1
References
- GHSA-72mh-269x-7mh5
- people.kingsds.network
- security.netapp.com
- CVE-2021-31597
- CWE-295
- CAPEC-310
- OWASP 2021-A6
- OWASP 2021-A7
Related Issues
- Prototype Pollution in lodash (GHSA-jf85-cpcp-j695) 4 - CVE-2019-10744
- Prototype Pollution in lodash (GHSA-jf85-cpcp-j695) 2 - CVE-2019-10744
- Passbolt Browser Extension leaks password information - CVE-2024-33669
- JSONata expression can pollute the "Object" prototype - CVE-2024-27307
- Tags:
- npm
- xmlhttprequest-ssl
Anything's wrong? Let us know Last updated on November 29, 2023