Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-28155

Good to know:

icon
icon

Date: March 15, 2023

The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Language: JS

Severity Score

Related Resources (15)

https://github.com/request/request/issues/3442
https://github.com/cypress-io/request/pull/28
https://nvd.nist.gov/vuln/detail/CVE-2023-28155
https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116
https://github.com/request/request
https://security.netapp.com/advisory/ntap-20230413-0007
https://github.com/github/advisory-database/pull/2500
https://github.com/cypress-io/request/releases/tag/v3.0.0
https://github.com/request/request/pull/3444
https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f
https://security-tracker.debian.org/tracker/CVE-2023-28155
https://github.com/request/request/blob/master/lib/redirect.js#L111
https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf
https://security.netapp.com/advisory/ntap-20230413-0007/
https://www.mend.io/vulnerability-database/CVE-2023-28155

Severity Score

Weakness Type (CWE)

Server-Side Request Forgery (SSRF)

CWE-918

Top Fix

icon

Upgrade Version

Upgrade to version @cypress/request - 3.0.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us