PT-2021-19437 · Node.Js+1 · Node.Js+1
Published
2021-04-22
·
Updated
2022-04-18
·
CVE-2021-31597
CVSS v3.1
9.4
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
xmlhttprequest-ssl versions prior to 1.6.1
Description
The issue concerns the disabling of SSL certificate validation by default in the xmlhttprequest-ssl package for Node.js. This occurs because the
rejectUnauthorized property, when it exists but is undefined, is considered false within the https.request function of Node.js, resulting in no certificate being rejected.Recommendations
For versions prior to 1.6.1, update to version 1.6.1 or later to enable proper SSL certificate validation. As a temporary workaround, consider setting the
rejectUnauthorized property to true to ensure certificate validation.Exploit
Fix
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Node.Js
Xmlhttprequest-Ssl