Skip to content

Improper Certificate Validation in xmlhttprequest-ssl

critical severity GitHub Reviewed Published May 24, 2021 • Updated Jun 21, 2021

Package

npm xmlhttprequest-ssl (npm)

Affected versions

< 1.6.1

Patched versions

1.6.1

Description

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.

References

CVE ID

CVE-2021-31597

CVSS Score

9.4 Critical
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L