CVE-2021-31597
📋 TL;DR
The xmlhttprequest-ssl package for Node.js versions before 1.6.1 disables SSL certificate validation by default, allowing man-in-the-middle attacks. This vulnerability affects any Node.js application using this package to make HTTPS requests without explicitly enabling certificate validation. Attackers can intercept and manipulate encrypted communications.
💻 Affected Systems
- xmlhttprequest-ssl
📦 What is this software?
Xmlhttprequest Ssl by Xmlhttprequest Ssl Project
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of sensitive data transmitted over HTTPS, including authentication credentials, API keys, and personal information, through man-in-the-middle attacks.
Likely Case
Data interception and manipulation in environments where attackers can position themselves between clients and servers, potentially leading to credential theft or data corruption.
If Mitigated
Limited impact if applications use additional transport layer security or operate in trusted network environments with proper segmentation.
🎯 Exploit Status
Exploitation requires network positioning for man-in-the-middle attacks; public proof-of-concept demonstrates certificate validation bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.1 and later
Vendor Advisory: https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2
Restart Required: Yes
Instructions:
1. Update package.json to specify xmlhttprequest-ssl version 1.6.1 or higher. 2. Run 'npm update xmlhttprequest-ssl' or 'yarn upgrade xmlhttprequest-ssl'. 3. Restart the Node.js application.
🔧 Temporary Workarounds
Explicit Certificate Validation
allManually set rejectUnauthorized to true in all HTTPS request configurations using xmlhttprequest-ssl.
// In Node.js code: request.rejectUnauthorized = true;
🧯 If You Can't Patch
- Implement network-level TLS inspection and certificate pinning.
- Use alternative HTTPS libraries with proper certificate validation enabled by default.
🔍 How to Verify
Check if Vulnerable:
Check package.json or node_modules/xmlhttprequest-ssl/package.json for version <1.6.1.Check Version:
npm list xmlhttprequest-sslVerify Fix Applied:
Confirm xmlhttprequest-ssl version is 1.6.1 or higher in package.json and verify HTTPS requests fail with invalid certificates.📡 Detection & Monitoring
Log Indicators:
- Unexpected successful HTTPS connections to servers with invalid certificates.
- SSL/TLS handshake failures when certificate validation is expected.
Network Indicators:
- Unencrypted or improperly encrypted traffic from affected applications.
- HTTPS requests to domains with invalid certificates that succeed.
SIEM Query:
Search for application logs containing successful HTTPS requests despite certificate errors or mismatches.🔗 References
- https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2
- https://github.com/mjwwit/node-XMLHttpRequest/compare/v1.6.0...1.6.1
- https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txt
- https://security.netapp.com/advisory/ntap-20210618-0004/
- https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2
- https://github.com/mjwwit/node-XMLHttpRequest/compare/v1.6.0...1.6.1
- https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txt
- https://security.netapp.com/advisory/ntap-20210618-0004/
