Description
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
Recommendation
Update the xmlhttprequest-ssl package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.6.1
- Patched version(s): 1.6.1
References
- GHSA-72mh-269x-7mh5
- people.kingsds.network
- security.netapp.com
- CVE-2021-31597
- CWE-295
- CAPEC-310
- OWASP 2021-A6
- OWASP 2021-A7
Related Issues
- Improper Input Validation in sanitize-html - sanitize-html - CVE-2021-26540
- Improper Input Validation in sanitize-html - CVE-2021-26539
- xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection - CVE-2020-28502
- Regular Expression Denial of Service in jquery-validation - CVE-2021-21252
You might also like:
- Tags:
- npm
- xmlhttprequest-ssl
Anything's wrong? Let us know Last updated on November 29, 2023


