CVE-2021-31597 – xmlhttprequest-ssl

Package

Manager: npm
Name: xmlhttprequest-ssl
Vulnerable Version: >=0 <1.6.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00371 pctl0.58051

Details

Improper Certificate Validation in xmlhttprequest-ssl The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.

Metadata

Created: 2021-05-24T19:52:55Z
Modified: 2021-05-20T21:59:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-72mh-269x-7mh5/GHSA-72mh-269x-7mh5.json
CWE IDs: ["CWE-295"]
Alternative ID: GHSA-72mh-269x-7mh5
Finding: F163
Auto approve: 1