Published: 16/03/2023 Updated: 17/05/2024

CVSS v3 Base Score: 6.1 | Impact Score: 2.7 | Exploitability Score: 2.8

VMScore: 0

The Request package up to and including 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Vulnerable Product	Search on Vulmon	Subscribe to Product
request project request

Debian Bug report logs - #1033250 node-request: CVE-2023-28155 Package: src:node-request; Maintainer for src:node-request is Debian Javascript Maintainers <pkg-javascript-devel@listsaliothdebianorg>; Reported by: Moritz Mühlenhoff <jmm@inutilorg> Date: Mon, 20 Mar 2023 18:39:02 UTC Severity: normal Tags: securit ...

An http(s).Agent implementation that block request Private/Reserved IP addresses. Prevent SSRF.

request-filtering-agent An http(s)Agent class block the request to Private IP addresses and Reserved IP addresses It helps to prevent server-side request forgery (SSRF) attack What is SSRF (Server-side request forgery)? Tutorial & Examples This library depends on ipaddrjs definitions This library blocks the request to these IP addresses by default Private IPv4

CWE-918 https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf https://github.com/request/request/issues/3442 https://github.com/request/request/pull/3444 https://security.netapp.com/advisory/ntap-20230413-0007/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033250 https://nvd.nist.gov https://github.com/azu/request-filtering-agent

CVE-2023-28155

Vulnerability Summary

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect