Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wOHA3LXgyODgtMjhnNs4AAyJl
Server-Side Request Forgery in Request
The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).
NOTE: The request package is no longer supported by the maintainer.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wOHA3LXgyODgtMjhnNs4AAyJl
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 month ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-p8p7-x288-28g6, CVE-2023-28155
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-28155
- https://github.com/request/request/issues/3442
- https://github.com/request/request/pull/3444
- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf
- https://github.com/github/advisory-database/pull/2500
- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116
- https://github.com/request/request/blob/master/lib/redirect.js#L111
- https://github.com/cypress-io/request/pull/28
- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f
- https://github.com/cypress-io/request/releases/tag/v3.0.0
- https://security.netapp.com/advisory/ntap-20230413-0007
- https://github.com/advisories/GHSA-p8p7-x288-28g6
Blast Radius: 36.2
Affected Packages
npm:@cypress/request
Dependent packages: 29Dependent repositories: 68,098
Downloads: 21,899,198 last month
Affected Version Ranges: <= 2.88.12
Fixed in: 3.0.0
All affected versions: 2.88.2, 2.88.3, 2.88.4, 2.88.5, 2.88.6, 2.88.7, 2.88.8, 2.88.9, 2.88.10, 2.88.11, 2.88.12
All unaffected versions: 3.0.0, 3.0.1
npm:request
Dependent packages: 58,231Dependent repositories: 847,768
Downloads: 59,163,161 last month
Affected Version Ranges: <= 2.88.2
No known fixed version
All affected versions: 0.8.3, 0.9.0, 0.9.1, 0.9.5, 0.10.0, 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.5, 1.9.7, 1.9.8, 1.9.9, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.1.0, 2.1.1, 2.2.0, 2.2.5, 2.2.6, 2.2.9, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.100, 2.9.150, 2.9.151, 2.9.152, 2.9.153, 2.9.200, 2.9.201, 2.9.202, 2.9.203, 2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.12.0, 2.14.0, 2.16.0, 2.16.2, 2.16.4, 2.16.6, 2.18.0, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, 2.25.0, 2.26.0, 2.27.0, 2.28.0, 2.29.0, 2.30.0, 2.31.0, 2.32.0, 2.33.0, 2.34.0, 2.35.0, 2.36.0, 2.37.0, 2.38.0, 2.39.0, 2.40.0, 2.41.0, 2.42.0, 2.43.0, 2.44.0, 2.45.0, 2.46.0, 2.47.0, 2.48.0, 2.49.0, 2.50.0, 2.51.0, 2.52.0, 2.53.0, 2.54.0, 2.55.0, 2.56.0, 2.57.0, 2.58.0, 2.59.0, 2.60.0, 2.61.0, 2.62.0, 2.63.0, 2.64.0, 2.65.0, 2.66.0, 2.67.0, 2.68.0, 2.69.0, 2.70.0, 2.71.0, 2.72.0, 2.73.0, 2.74.0, 2.75.0, 2.76.0, 2.77.0, 2.78.0, 2.79.0, 2.80.0, 2.81.0, 2.82.0, 2.83.0, 2.84.0, 2.85.0, 2.86.0, 2.87.0, 2.88.0, 2.88.2