Miggo Logo

CVE-2020-28502: xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.94786%
Published
5/4/2021
Updated
11/29/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
xmlhttprequestnpm< 1.7.01.7.0
xmlhttprequest-sslnpm< 1.6.21.6.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists in the synchronous request handling path of the send() method. The commit diffs (983cfc2 and ee1e81f) show the fix involved wrapping data with JSON.stringify() to prevent code injection. In vulnerable versions, user input was directly embedded into a Node.js child process command string via data.replace(/'/g, "\\'"), which was insufficient to prevent escaping. This allowed attackers to inject arbitrary JavaScript code when sending malicious payloads via xhr.send() in synchronous mode. The file path and function are explicitly referenced in CVE-2020-28502 descriptions and GitHub advisories.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts t** p**k*** xml*ttpr*qu*st ***or* *.*.*; *ll v*rsions o* p**k*** xml*ttpr*qu*st-ssl. Provi*** r*qu*sts *r* s*nt syn**ronously (`*syn*=**ls*` on `x*r.op*n`), m*li*ious us*r input *lowin* into `x*r.s*n*` *oul* r*sult in *r*itr*ry *o** **in

Reasoning

T** vuln*r**ility *xists in t** syn**ronous r*qu*st **n*lin* p*t* o* t** s*n*() m*t*o*. T** *ommit *i**s (******* *n* *******) s*ow t** *ix involv** wr*ppin* **t* wit* JSON.strin*i*y() to pr*v*nt *o** inj**tion. In vuln*r**l* v*rsions, us*r input w*s