VYPR
← All advisories
High severityNVD Advisory· Published Mar 13, 2018· Updated Aug 5, 2024

CVE-2018-1000096

CVE-2018-1000096

Description

brianleroux tiny-json-http version all versions since commit 9b8e74a232bba4701844e07bcba794173b0238a8 (Oct 29 2016) contains a Missing SSL certificate validation vulnerability in The libraries core functionality is affected. that can result in Exposes the user to man-in-the-middle attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The tiny-json-http library disables SSL certificate validation, exposing users to man-in-the-middle attacks in all versions from 1.0.1 to 7.0.0.

Vulnerability

The tiny-json-http library (npm package) silently disables SSL/TLS certificate validation in its core HTTP request functionality. This flaw affects all versions from 1.0.1 up to (but not including) 7.0.0, originating from commit 9b8e74a232bba4701844e07bcba794173b0238a8 (October 29, 2016). The library provides a minimalist HTTP client for JSON payloads and is commonly used in serverless environments such as AWS Lambda. No special configuration is needed to trigger the vulnerability; it is the default behavior when making any HTTPS request through the library [1][2][4].

Exploitation

An attacker with network access — for instance, on the same local network, a compromised router, or a malicious wireless access point — can intercept HTTPS traffic between the application and any server the library communicates with. Because certificate validation is disabled, the attacker can present a self-signed or fraudulent SSL certificate without triggering any error. No authentication or user interaction is required beyond the application using the library to make a request [2]. The attack exploits the missing validation at the TLS layer, effectively performing a classic man-in-the-middle (MITM) attack.

Impact

Successful exploitation allows an attacker to read, modify, or inject data into all HTTP requests and responses handled by the library. This results in full compromise of communication confidentiality and integrity. For example, an application using the library to call Slack's API could have its messages, tokens, or other sensitive data intercepted [2]. The attacker gains a position equivalent to the trusted server, enabling credential theft, data manipulation, and further lateral attacks.

Mitigation

The issue is fixed in version 7.0.0 of tiny-json-http, which re-enables SSL certificate validation by default. Users should upgrade to 7.0.0 or later. As a workaround, applications can bypass the library for sensitive HTTPS calls or implement their own certificate validation logic. The vulnerability is recorded in the GitHub Advisory Database (GHSA-7h42-5vj2-cq39) [4]. No official KEV listing is available as of the publication date.

References
  1. NVD - CVE-2018-1000096
  2. Don't disable SSL certificate validation by jasonk · Pull Request #15 · brianleroux/tiny-json-http
  3. CVE-2018-1000096 - GitHub Advisory Database

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
tiny-json-httpnpm
>= 1.0.1, < 7.0.07.0.0

Affected products

2

Patches

1
3c1e36d8bef3

Merge pull request #15 from jasonk/ssl-verification

https://github.com/brianleroux/tiny-json-httpBrian LeRouxFeb 15, 2018via ghsa
commit
2 files changed · +0 2
  • _read.js+0 1 modified
    @@ -32,7 +32,6 @@ module.exports = function _read(options, callback) {
 
   var method = opts.protocol === 'https:'? https.get : http.get
 
-  opts.rejectUnauthorized = false
   opts.headers = options.headers || {}
   opts.headers['User-Agent'] = opts.headers['User-Agent'] || 'tiny-http'
   opts.headers['Content-Type'] = opts.headers['Content-Type'] || 'application/json'
  • _write.js+0 1 modified
    @@ -35,7 +35,6 @@ module.exports = function _write(httpMethod, options, callback) {
 
   // wrangle defaults
   opts.method = httpMethod
-  opts.rejectUnauthorized = false
   opts.headers = options.headers || {}
   opts.headers['User-Agent'] = opts.headers['User-Agent'] || 'tiny-http'
   opts.headers['Content-Type'] = opts.headers['Content-Type'] || defaultContentType

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.