CVE-2018-1000096: tiny-json-http missing SSL certificate validation
8.1
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.40117%
CWE
Published
3/13/2018
Updated
9/13/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
tiny-json-http | npm | >= 1.0.1, < 7.0.0 | 7.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the explicit disabling of SSL certificate validation via the 'rejectUnauthorized = false' option in both _read.js and _write.js. This setting is a direct violation of CWE-295 (Improper Certificate Validation) and was removed in the patched commit 3c1e36d. These functions handle HTTP(S) requests, and disabling certificate validation exposes users to MITM attacks. The commit diff confirms these lines were the sole SSL-related changes, making the identification highly confident.