VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 16, 2023· Updated Aug 2, 2024

CVE-2023-28155

CVE-2023-28155

Description

The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Request package for Node.js before 3.0.0 allows SSRF bypass via cross-protocol redirects due to insecure redirect handling.

Vulnerability

Description CVE-2023-28155 resides in the Request package for Node.js, up to version 2.88.1. The library, while deprecated by its original maintainer [1], remains widely used. The core issue is the default acceptance of cross-protocol redirects (HTTP→HTTPS or HTTPS→HTTP) without proper validation. This allows an attacker-controlled server to redirect a request initiated by the library to a different protocol, effectively bypassing Server-Side Request Forgery (SSRF) mitigations that rely on protocol validation [2].

Exploitation

Exploitation is straightforward: an attacker hosts a server that initially responds to a legitimate request (e.g., to an allowed HTTP endpoint) but subsequently returns a redirect to a different protocol (e.g., HTTPS). The Request package, by default, follows this redirect without checking if the protocol change is safe. The attacker does not need authentication or special privileges beyond the ability to serve a malicious redirect from a controlled host [2].

Impact

Successful exploitation allows an attacker to force the server-side application to make requests to arbitrary endpoints, potentially including internal services or those on different protocols that would otherwise be blocked by SSRF filters. This can lead to data exfiltration, internal network scanning, or further exploitation of internal systems [2]. The vulnerability is particularly dangerous because it bypasses common SSRF defenses that check only the initial request protocol.

Mitigation

The vulnerability is addressed in version 3.0.0 of the Request package (maintained as a fork by cypress-io) by introducing an allowInsecureRedirect option that defaults to false [3][4]. Users are strongly advised to upgrade to version 3.0.0 or later, or migrate to an alternative HTTP client library. The original package has been fully deprecated since February 2020 and will not receive any further patches [1].

References
  1. GitHub - request/request: 🏊🏾 Simplified HTTP request client.
  2. NVD - CVE-2023-28155
  3. Release v3.0.0 · cypress-io/request
  4. feat: Add allowInsecureRedirect option · cypress-io/request@c5bcf21

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
requestnpm
<= 2.88.2
@cypress/requestnpm
< 3.0.03.0.0

Affected products

53

Patches

1
c5bcf21d40fb

feat: Add allowInsecureRedirect option

https://github.com/cypress-io/requestlegobeatAug 8, 2023via ghsa
commit
7 files changed · +26 3
  • lib/redirect.js+5 1 modified
    @@ -14,6 +14,7 @@ function Redirect (request) {
   this.redirects = []
   this.redirectsFollowed = 0
   this.removeRefererHeader = false
+  this.allowInsecureRedirect = false
 }
 
 Redirect.prototype.onRequest = function (options) {
@@ -40,6 +41,9 @@ Redirect.prototype.onRequest = function (options) {
   if (options.followOriginalHttpMethod !== undefined) {
     self.followOriginalHttpMethod = options.followOriginalHttpMethod
   }
+  if (options.allowInsecureRedirect !== undefined) {
+    self.allowInsecureRedirect = options.allowInsecureRedirect
+  }
 }
 
 Redirect.prototype.redirectTo = function (response) {
@@ -113,7 +117,7 @@ Redirect.prototype.onResponse = function (response, callback) {
     request.uri = url.parse(redirectTo)
 
     // handle the case where we change protocol from https to http or vice versa
-    if (request.uri.protocol !== uriPrev.protocol) {
+    if (request.uri.protocol !== uriPrev.protocol && self.allowInsecureRedirect) {
       delete request.agent
     }
  • README.md+1 0 modified
    @@ -707,6 +707,7 @@ The first argument can be either a `url` or an `options` object. The only requir
 - `followOriginalHttpMethod` - by default we redirect to HTTP method GET. you can enable this property to redirect to the original HTTP method (default: `false`)
 - `maxRedirects` - the maximum number of redirects to follow (default: `10`)
 - `removeRefererHeader` - removes the referer header when a redirect happens (default: `false`). **Note:** if true, referer header set in the initial request is preserved during redirect chain.
+- `allowInsecureRedirect` - allows cross-protocol redirects (HTTP to HTTPS and vice versa). **Warning:** may lead to bypassing anti SSRF filters (default: `false`)
 
 ---
  • tests/test-httpModule.js+1 1 modified
    @@ -70,7 +70,7 @@ function runTests (name, httpModules) {
   tape(name, function (t) {
     var toHttps = 'http://localhost:' + plainServer.port + '/to_https'
     var toPlain = 'https://localhost:' + httpsServer.port + '/to_plain'
-    var options = { httpModules: httpModules, strictSSL: false }
+    var options = { httpModules: httpModules, strictSSL: false, allowInsecureRedirect: true }
     var modulesTest = httpModules || {}
 
     clearFauxRequests()
  • tests/test-redirect-auth.js+1 0 modified
    @@ -18,6 +18,7 @@ request = request.defaults({
     user: 'test',
     pass: 'testing'
   },
+  allowInsecureRedirect: true,
   rejectUnauthorized: false
 })
  • tests/test-redirect-complex.js+1 0 modified
    @@ -67,6 +67,7 @@ tape('lots of redirects', function (t) {
     request({
       url: (i % 2 ? s.url : ss.url) + '/a',
       headers: { 'x-test-key': key },
+      allowInsecureRedirect: true,
       rejectUnauthorized: false
     }, function (err, res, body) {
       t.equal(err, null)
  • tests/test-redirect.js+14 1 modified
    @@ -445,7 +445,8 @@ tape('http to https redirect', function (t) {
   hits = {}
   request.get({
     uri: require('url').parse(s.url + '/ssl'),
-    rejectUnauthorized: false
+    rejectUnauthorized: false,
+    allowInsecureRedirect: true
   }, function (err, res, body) {
     t.equal(err, null)
     t.equal(res.statusCode, 200)
@@ -454,6 +455,18 @@ tape('http to https redirect', function (t) {
   })
 })
 
+tape('http to https redirect should fail without the explicit "allowInsecureRedirect" option', function (t) {
+  hits = {}
+  request.get({
+    uri: require('url').parse(s.url + '/ssl'),
+    rejectUnauthorized: false
+  }, function (err, res, body) {
+    t.notEqual(err, null)
+    t.equal(err.code, 'ERR_INVALID_PROTOCOL', 'Failed to cross-protocol redirect')
+    t.end()
+  })
+})
+
 tape('should have referer header by default when following redirect', function (t) {
   request.post({
     uri: s.url + '/temp',
  • tests/test-tunnel.js+3 0 modified
    @@ -356,6 +356,7 @@ function addTests () {
     'https->http over http, tunnel=true',
     {
       url: ss.url + '/redirect/http',
+      allowInsecureRedirect: true,
       proxy: s.url,
       tunnel: true
     },
@@ -372,6 +373,7 @@ function addTests () {
     'https->http over http, tunnel=false',
     {
       url: ss.url + '/redirect/http',
+      allowInsecureRedirect: true,
       proxy: s.url,
       tunnel: false
     },
@@ -388,6 +390,7 @@ function addTests () {
     'https->http over http, tunnel=default',
     {
       url: ss.url + '/redirect/http',
+      allowInsecureRedirect: true,
       proxy: s.url
     },
     [

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

13

News mentions

0

No linked articles in our index yet.