CVE-2020-28502
Code Injection vulnerability in xmlhttprequest-ssl (npm)
What is CVE-2020-28502 About?
This is a code injection vulnerability impacting `xmlhttprequest` before 1.7.0 and all versions of `xmlhttprequest-ssl` when using synchronous requests. Malicious user input passed to `xhr.send` can result in arbitrary code injection and execution. Exploitation is straightforward if synchronous requests are used with untrusted input.
Affected Software
- xmlhttprequest
- <1.7.0
- xmlhttprequest-ssl
- <1.6.2
Technical Details
The vulnerability occurs when synchronous XMLHttpRequest requests are made (i.e., async=False in xhr.open) and malicious user input is passed to the xhr.send method without proper sanitization. In synchronous mode, the execution flow pauses, which can create a window or context where injected code within the send method's argument might be parsed and executed by the underlying JavaScript engine or a related component before the request fully completes or during its processing. This allows attackers to inject and execute arbitrary JavaScript code within the context of the client-side application.
What is the Impact of CVE-2020-28502?
Successful exploitation may allow attackers to execute arbitrary code within the client's browser, steal credentials, manipulate web content, or deface websites.
What is the Exploitability of CVE-2020-28502?
Exploitation of this code injection requires an attacker to control the input supplied to xhr.send and for the application to be using synchronous XMLHttpRequest requests. The complexity is moderate, as it relies on specific conditions and browser/environment interpretations of injected strings. No authentication is typically required for the injection itself, as it's often a client-side vulnerability, but the attacker needs to interact with the application to provide the malicious input. This is primarily a client-side remote vulnerability. The critical prerequisites are the use of the vulnerable packages, synchronous requests, and lack of input sanitization before calling xhr.send. Applications failing to sanitize user-controlled data processed by xhr.send are at high risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| s-index | Link | CVE-2020-28502 node-XMLHttpRequest RCE |
| dpredrag | Link | PoC for CVE-2020-28502 |
What are the Available Fixes for CVE-2020-28502?
About the Fix from Resolved Security
The patch replaces direct insertion of the request body data into a string with a JSON.stringify-based approach, preventing malicious input from breaking out of the string context. This fixes CVE-2020-28502 by blocking command injection attacks where specially-crafted input data could execute arbitrary code when passed to req.write().
Available Upgrade Options
- xmlhttprequest-ssl
- <1.6.2 → Upgrade to 1.6.2
- xmlhttprequest
- <1.7.0 → Upgrade to 1.7.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937
- https://github.com/mjwwit/node-XMLHttpRequest/blob/ae38832a0f1347c5e96dda665402509a3458e302/lib/XMLHttpRequest.js#L531
- https://github.com/driverdan/node-XMLHttpRequest/commit/983cfc244c7567ad6a59e366e55a8037e0497fe6
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938
- https://github.com/mjwwit/node-XMLHttpRequest/commit/ee1e81fc67729c7c0eba5537ed7fe1e30a6b3291
- https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935
- https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js%23L480
- https://nvd.nist.gov/vuln/detail/CVE-2020-28502
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937
- https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936
What are Similar Vulnerabilities to CVE-2020-28502?
Similar Vulnerabilities: CVE-2019-11358 , CVE-2021-23381 , CVE-2021-23397 , CVE-2021-23424 , CVE-2021-23805
