Severity: moderate

Insecure Defaults Allow MITM Over TLS


Affected versions of do not verify certificates by default, and as such may be vulnerable to Man-in-the-Middle attacks.

The vulnerability is related to the way that node.js handles the rejectUnauthorized setting. If the value is something that evaluates to false, such as undefined or null, certificate verification will be disabled.


Update to version 1.6.9 or later.

If you are unable to upgrade, ensure all calls to to have a rejectedUnauthorized: true flag.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Apr 26th, 2016
  2. reported

    Initial report by David Johansson
    Apr 4th, 2016