Access Restriction Bypass Affecting xmlhttprequest-ssl package, versions <1.6.1
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.21% (60th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-XMLHTTPREQUESTSSL-1255647
- published 26 Apr 2021
- disclosed 21 Apr 2021
- credit Wes Garland
Introduced: 21 Apr 2021
CVE-2021-31597 Open this link in a new tabHow to fix?
Upgrade xmlhttprequest-ssl to version 1.6.1 or higher.
Overview
xmlhttprequest-ssl is a fork of xmlhttprequest.
Affected versions of this package are vulnerable to Access Restriction Bypass. The package disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
PoC
const XMLHttpRequest = require('xmlhttprequest-ssl');
var xhr = new XMLHttpRequest(); /* pass empty object in version 1.5.4 to work around bug */
xhr.open("GET", "https://self-signed.badssl.com/");
xhr.addEventListener('readystatechange', () => console.log('ready state:', xhr.status));
xhr.addEventListener('loadend', loadend);
function loadend()
{
console.log('loadend:', xhr);
if (xhr.status === 0 && xhr.statusText.code === 'DEPTH_ZERO_SELF_SIGNED_CERT')
console.log('test passed: self-signed cert rejected');
else
console.log('*** test failed: self-signed cert used to retrieve content');
}
xhr.send();
References
CVSS Scores
version 3.1