CVE-2021-31597

Improper Certificate Validation in npm/xmlhttprequest-ssl

Identifiers

CVE-2021-31597

Package Slug

npm/xmlhttprequest-ssl

Vulnerability

Improper Certificate Validation

Description

The xmlhttprequest-ssl package for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.

Affected Versions

All versions before 1.6.1

Solution

Upgrade to version 1.6.1 or above.

Last Modified

2021-05-03

source