CVE-2020-28502: xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.94786%
CWE
Published
5/4/2021
Updated
11/29/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
xmlhttprequest | npm | < 1.7.0 | 1.7.0 |
xmlhttprequest-ssl | npm | < 1.6.2 | 1.6.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability exists in the synchronous request handling path of the send() method. The commit diffs (983cfc2 and ee1e81f) show the fix involved wrapping data with JSON.stringify() to prevent code injection. In vulnerable versions, user input was directly embedded into a Node.js child process command string via data.replace(/'/g, "\\'")
, which was insufficient to prevent escaping. This allowed attackers to inject arbitrary JavaScript code when sending malicious payloads via xhr.send() in synchronous mode. The file path and function are explicitly referenced in CVE-2020-28502 descriptions and GitHub advisories.