Liran Tal • 4/27/2023

Disclosing a local file inclusion vulnerability in xmlhttprequest library

This article details a security vulnerability (CWE-276) in the xmlhttprequest npm library, version 1.8.0. The flaw, stemming from incorrect default permissions, enables Local File Inclusion (LFI) where an attacker-controlled URL can lead to arbitrary file read access on the server's filesystem. It includes proof-of-concept code and discusses the maintainer's response.

0 comments

#JavaScript #Node.js #NPM Package