xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection

Severity:: High

Description

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

Recommendation

Update the xmlhttprequest-ssl package to the latest compatible version. Followings are version details:

Affected version(s): < 1.6.2
Patched version(s): 1.6.2

References

GHSA-h4j5-c7cj-74xg
snyk.io
CVE-2020-28502
CWE-94
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection (GHSA-h4j5-c7cj-74xg) - CVE-2020-28502
Arbitrary Code Injection in pouchdb - CVE-2016-10546
Lightning Flow Scanner Vulnerable to Code Injection via Unsafe Use of `new Function()` in APIVersion Rule - CVE-2025-67750
Code Injection in mquery - CVE-2020-35149

Tags:: npm; xmlhttprequest-ssl

Anything's wrong? Let us know Last updated on November 29, 2023