Server-side Request Forgery (SSRF) Affecting request package, versions *
Snyk CVSS
Exploit Maturity
Proof of concept
Attack Complexity
Low
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-REQUEST-3361831
- published 17 Mar 2023
- disclosed 16 Mar 2023
- credit SzymonDrosdzol
Introduced: 16 Mar 2023
New CVE-2023-28155 Open this link in a new tabHow to fix?
A fix was pushed into the master
branch but not yet published.
Overview
request is a simplified http request client.
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to insufficient checks in the lib/redirect.js
file by allowing insecure redirects in the default configuration, via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).
NOTE: This package has been deprecated, so a fix is not expected. See https://github.com/request/request/issues/3142.