org.webjars.npm:xmlhttprequest-ssl 1.5.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.webjars.npm:xmlhttprequest-ssl package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Access Restriction Bypass org.webjars.npm:xmlhttprequest-ssl is a fork of `xmlhttprequest`. Affected versions of this package are vulnerable to Access Restriction Bypass. The package disables SSL certificate validation by default, because `rejectUnauthorized` (when the property exists but is undefined) is considered to be false within the `https.request` function of Node.js. In other words, no certificate is ever rejected. How to fix Access Restriction Bypass? Upgrade `org.webjars.npm:xmlhttprequest-ssl` to version 1.6.1 or higher.	[,1.6.1)
H Arbitrary Code Injection org.webjars.npm:xmlhttprequest-ssl is a fork of `xmlhttprequest`. Affected versions of this package are vulnerable to Arbitrary Code Injection. Provided requests are sent synchronously (`async=False` on `xhr.open`), malicious user input flowing into `xhr.send` could result in arbitrary code being injected and run. POC `const { XMLHttpRequest } = require("xmlhttprequest") const xhr = new XMLHttpRequest() xhr.open("POST", "http://localhost.invalid/", false /* use synchronize request */) xhr.send("\\');require(\"fs\").writeFileSync(\"/tmp/aaaaa.txt\", \"poc-20210306\");req.end();//")` How to fix Arbitrary Code Injection? Upgrade `org.webjars.npm:xmlhttprequest-ssl` to version 2.0.0 or higher.	[,2.0.0)

Vulnerability

Vulnerable Version

Access Restriction Bypass

org.webjars.npm:xmlhttprequest-ssl is a fork of xmlhttprequest.

Affected versions of this package are vulnerable to Access Restriction Bypass. The package disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.

How to fix Access Restriction Bypass?

Upgrade org.webjars.npm:xmlhttprequest-ssl to version 1.6.1 or higher.

[,1.6.1)

Arbitrary Code Injection

org.webjars.npm:xmlhttprequest-ssl is a fork of xmlhttprequest.

Affected versions of this package are vulnerable to Arbitrary Code Injection. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

POC

const { XMLHttpRequest } = require("xmlhttprequest")

const xhr = new XMLHttpRequest()
xhr.open("POST", "http://localhost.invalid/", false /* use synchronize request */)
xhr.send("\\');require(\"fs\").writeFileSync(\"/tmp/aaaaa.txt\", \"poc-20210306\");req.end();//")

How to fix Arbitrary Code Injection?

Upgrade org.webjars.npm:xmlhttprequest-ssl to version 2.0.0 or higher.

[,2.0.0)

org.webjars.npm:xmlhttprequest-ssl@1.5.1 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?

POC