Vulnerability Description
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xmlhttprequest-Ssl Project | Xmlhttprequest-Ssl | < 1.6.1 |
Related Weaknesses (CWE)
References
- https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dPatchThird Party Advisory
- https://github.com/mjwwit/node-XMLHttpRequest/compare/v1.6.0...1.6.1PatchRelease NotesThird Party Advisory
- https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txtExploitThird Party Advisory
- https://security.netapp.com/advisory/ntap-20210618-0004/Third Party Advisory
- https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dPatchThird Party Advisory
- https://github.com/mjwwit/node-XMLHttpRequest/compare/v1.6.0...1.6.1PatchRelease NotesThird Party Advisory
- https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txtExploitThird Party Advisory
- https://security.netapp.com/advisory/ntap-20210618-0004/Third Party Advisory
FAQ
What is CVE-2021-31597?
CVE-2021-31597 is a vulnerability with a CVSS score of 9.4 (CRITICAL). The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false...
How severe is CVE-2021-31597?
CVE-2021-31597 has been rated CRITICAL with a CVSS base score of 9.4/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-31597?
Check the references section above for vendor advisories and patch information. Affected products include: Xmlhttprequest-Ssl Project Xmlhttprequest-Ssl.