xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection - xmlhttprequest

Severity:: High

Description

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

Recommendation

Update the xmlhttprequest package to the latest compatible version. Followings are version details:

Affected version(s): < 1.7.0
Patched version(s): 1.7.0

References

GHSA-h4j5-c7cj-74xg
snyk.io
CVE-2020-28502
CWE-94
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection - CVE-2020-28502
Lightning Flow Scanner Vulnerable to Code Injection via Unsafe Use of `new Function()` in APIVersion Rule - CVE-2025-67750
Code Injection in mquery - CVE-2020-35149
Code Injection in jsen - CVE-2020-7777

How do hackers hack websites?

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; xmlhttprequest

Anything's wrong? Let us know Last updated on November 29, 2023