CVE-2021-31597: 
JavaScript vulnerability analysis and mitigation

The xmlhttprequest-ssl package before version 1.6.1 for Node.js contains a critical security vulnerability where SSL certificate validation is disabled by default. This occurs because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js, effectively meaning that no certificate is ever rejected (NVD).

The vulnerability has a CVSS v3.1 Base Score of 9.4 (CRITICAL) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L. The issue stems from improper certificate validation where the rejectUnauthorized property defaults to false instead of true, allowing the acceptance of invalid certificates (NVD, GitHub Patch).

The vulnerability could lead to disclosure of sensitive information or addition/modification of data. When exploited, it allows attackers to bypass SSL certificate validation, potentially enabling man-in-the-middle attacks and compromising the confidentiality and integrity of data transmitted through the application (NetApp Advisory).

The vulnerability has been fixed in xmlhttprequest-ssl version 1.6.1. The fix modifies the default behavior of rejectUnauthorized to be true unless explicitly set to false. Users should upgrade to version 1.6.1 or later to address this security issue (GitHub Patch).

The vulnerability has gained attention in the security community, with major organizations like NetApp issuing security advisories to their customers. Juniper Networks also acknowledged this vulnerability in their Contrail Networking product updates, rating it as a critical security issue (SecurityWeek).