CVE-2021-31597
Insufficient Certificate Validation vulnerability in xmlhttprequest-ssl (npm)
What is CVE-2021-31597 About?
This is an insufficient certificate validation vulnerability in the xmlhttprequest-ssl package for Node.js. It disables SSL certificate validation by default, allowing connections to untrusted servers. The impact is that no certificate is ever rejected, making Man-in-the-Middle (MitM) attacks possible. Exploitation is relatively easy for an attacker who can intercept network traffic.
Affected Software
Technical Details
The 'xmlhttprequest-ssl' package before version 1.6.1 for Node.js suffers from an insufficient certificate validation vulnerability. The core issue lies in the fact that it disables SSL certificate validation by default. This occurs because the rejectUnauthorized property, when it exists but is undefined, is implicitly treated as false within the https.request function of Node.js. As a result, the application will accept any SSL certificate presented by a server, regardless of its validity or whether it matches the expected hostname. This effectively renders SSL/TLS encryption for authentication useless and opens the door for Man-in-the-Middle (MitM) attacks where an attacker can intercept, view, and potentially modify encrypted communications.
What is the Impact of CVE-2021-31597?
Successful exploitation may allow attackers to perform Man-in-the-Middle (MitM) attacks, intercepting and viewing or altering encrypted communications due to a lack of proper certificate validation.
What is the Exploitability of CVE-2021-31597?
Exploitation requires an attacker to be in a position to perform a Man-in-the-Middle (MitM) attack, typically by controlling a network segment or having a compromised proxy. The attacker can then present any SSL certificate to the vulnerable client, which will be accepted because validation is effectively disabled. There are no authentication or privilege requirements on the victim's application. This is a remote vulnerability as it involves network-level interception. The complexity is primarily in successfully intercepting the network traffic between the client and the server. The lack of default validation significantly increases the likelihood of a successful MitM attack against applications using this vulnerable package.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-31597?
About the Fix from Resolved Security
The patch ensures that the TLS option rejectUnauthorized defaults to true unless explicitly set to false, instead of simply copying whatever value is given. This prevents unintentional disabling of server certificate verification, addressing the vulnerability in CVE-2021-31597 where insecure connections could be made if opts.rejectUnauthorized was undefined or unset.
Available Upgrade Options
- xmlhttprequest-ssl
- <1.6.1 → Upgrade to 1.6.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.netapp.com/advisory/ntap-20210618-0004
- https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txt
- https://github.com/mjwwit/node-XMLHttpRequest/compare/v1.6.0...1.6.1
- https://security.netapp.com/advisory/ntap-20210618-0004/
- https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2
- https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txt
- https://github.com/mjwwit/node-XMLHttpRequest/compare/v1.6.0...1.6.1
- https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2
- https://osv.dev/vulnerability/GHSA-72mh-269x-7mh5
- https://nvd.nist.gov/vuln/detail/CVE-2021-31597
What are Similar Vulnerabilities to CVE-2021-31597?
Similar Vulnerabilities: CVE-2023-38407 , CVE-2022-24765 , CVE-2021-28363 , CVE-2020-13777 , CVE-2018-1000139
