Cleartext Transmission of Sensitive Information
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-319: Cleartext Transmission of Sensitive Information |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
Disabling TLS verification by setting NODE_TLS_REJECT_UNAUTHORIZED to 0 or using rejectUnauthorized: false allows connections to untrusted servers. This bypasses certificate validation and makes secure connections insecure.
Impact#
Attackers can intercept and read sensitive data by performing man-in-the-middle attacks, since the application will trust any server, even malicious ones. This can lead to data theft, account compromise, and loss of user trust.