Skip to content

engine.io-client 5.x contrib/xmlhttprequest-ssl/XMLHttpRequest.js contains security vulnerability CVE-2020-28502 #673

@twegener-embertec

Description

@twegener-embertec

engine.io-client 5.1.2 includes contrib/xmlhttprequest-ssl/XMLHttpRequest.js directly, rather than via an npm dependency prior to 5.x. That code appears to lack the fix for the following critical security vulnerability:

CVE-2020-28502
https://www.npmjs.com/advisories/1665
GHSA-h4j5-c7cj-74xg

See the following patch for that vulnerability:
mjwwit/node-XMLHttpRequest@ee1e81f

Specifically:

-        + (data ? "req.write('" + data.replace(/'/g, "\\'") + "');":"")
+        + (data ? "req.write('" + JSON.stringify(data).slice(1,-1).replace(/'/g, "\\'") + "');":"")

I.e. it appears that this contrib version of xmlhttprequest-ssl is based on 1.6.1 which still had the vulnerability.

Note that since this is included directly rather than via npm, it does not show up via npm audit.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions