CVE-2020-28502

HIGH

xmlhttprequest < 1.7.0 and xmlhttprequest-ssl < 1.6.2 - Remote Code Execution via Synchronous Request

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-28502. PoCs published by s-index, dpredrag.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2020-28502, demonstrating arbitrary code execution via malicious input in synchronous XMLHttpRequest calls in Node.js. The PoC includes payloads for file creation and reverse shell execution.

Description

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

Exploits (2)

nomisec WORKING POC 3 stars

by s-index · poc

https://github.com/s-index/CVE-2020-28502

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-28502, demonstrating arbitrary code execution via malicious input in synchronous XMLHttpRequest calls in Node.js. The PoC includes payloads for file creation and reverse shell execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: xmlhttprequest < 1.7.0, xmlhttprequest-ssl (all versions)

No auth needed

Prerequisites: Node.js environment with vulnerable xmlhttprequest package · Ability to send crafted POST requests to the target application

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC

by dpredrag · poc

https://github.com/dpredrag/CVE-2020-28502

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2020-28502, demonstrating an SSRF vulnerability via a Node.js Express server that forwards POST requests to arbitrary URLs. The exploit leverages the XMLHttpRequest API to send crafted requests, potentially bypassing access controls.

Classification

Working Poc 90%

Attack Type

Ssrf

Complexity

Trivial

Reliability

Reliable

Target: Node.js applications using vulnerable XMLHttpRequest configurations

No auth needed

Prerequisites: Network access to the vulnerable server · Ability to send crafted POST requests

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (5)

Core 5

Core References

Exploit, Third Party Advisory x_refsource_misc

https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935

Exploit, Third Party Advisory x_refsource_misc

https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936

Exploit, Third Party Advisory x_refsource_misc

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937

Exploit, Third Party Advisory x_refsource_misc

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938

Broken Link x_refsource_misc

https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js%23L480

Scores

CVSS v3 8.1

EPSS 0.1740

EPSS Percentile 95.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (3)

npm/xmlhttprequest 0 - 1.7.0npm

npm/xmlhttprequest-ssl 0 - 1.6.2npm

xmlhttprequest_project/xmlhttprequest < 1.7.0

Published Mar 05, 2021

Tracked Since Feb 18, 2026