Headline
CVE-2021-31597
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
#! /usr/bin/node /** * @file xmlhttprequest-ssl.js * This program demonstrates the SSL cert security vulnerability in * xmlhttprequest-ssl versions 1.5 through 1.6.0. * * Requirements: install xmlhttprequest-ssl package from public npm repository; e.g. * npm init # create package.json * npm i [email protected] * * @author Wes Garland, [email protected] * @date April 2021 */ const XMLHttpRequest = require(‘xmlhttprequest-ssl’); var xhr = new XMLHttpRequest(); /* pass empty object in version 1.5.4 to work around bug */ xhr.open("GET", “https://self-signed.badssl.com/”); xhr.addEventListener('readystatechange’, () => console.log('ready state:’, xhr.status)); xhr.addEventListener('loadend’, loadend); function loadend() { console.log('loadend:’, xhr); if (xhr.status === 0 && xhr.statusText.code === ‘DEPTH_ZERO_SELF_SIGNED_CERT’) console.log(‘test passed: self-signed cert rejected’); else console.log(‘*** test failed: self-signed cert used to retrieve content’); } xhr.send();