Vulnerabilities > CVE-2023-28155 - Server-Side Request Forgery (SSRF) vulnerability in Request Project Request
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
LOW Integrity impact
LOW Availability impact
NONE Summary
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf
- https://github.com/request/request/issues/3442
- https://github.com/request/request/pull/3444
- https://security.netapp.com/advisory/ntap-20230413-0007/
- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf
- https://security.netapp.com/advisory/ntap-20230413-0007/
- https://github.com/request/request/pull/3444
- https://github.com/request/request/issues/3442