Moderate severityNVD Advisory· Published Mar 16, 2023· Updated Aug 2, 2024
CVE-2023-28155
CVE-2023-28155
Description
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
requestnpm | <= 2.88.2 | — |
@cypress/requestnpm | < 3.0.0 | 3.0.0 |
Affected products
53- Node.js/Requestdescription
- osv-coords52 versionspkg:apk/chainguard/kubeflow-pipelinespkg:apk/chainguard/nodejs-14pkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-alerting-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-anomaly-detection-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-compatpkg:apk/chainguard/opensearch-dashboards-2-configpkg:apk/chainguard/opensearch-dashboards-2-dashboards-mapspkg:apk/chainguard/opensearch-dashboards-2-dashboards-notificationspkg:apk/chainguard/opensearch-dashboards-2-dashboards-observabilitypkg:apk/chainguard/opensearch-dashboards-2-dashboards-query-workbenchpkg:apk/chainguard/opensearch-dashboards-2-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-2-dashboards-search-relevancepkg:apk/chainguard/opensearch-dashboards-2-dashboards-visualizationspkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/chainguard/opensearch-dashboards-2-fips-alerting-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-anomaly-detection-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-configpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-mapspkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-notificationspkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-observabilitypkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-query-workbenchpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-search-relevancepkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-visualizationspkg:apk/chainguard/opensearch-dashboards-2-fips-index-management-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-ml-commons-dashboardspkg:apk/chainguard/opensearch-dashboards-2-fips-security-analytics-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-security-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-index-management-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-ml-commons-dashboardspkg:apk/chainguard/opensearch-dashboards-2-security-analytics-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-security-dashboards-pluginpkg:apk/wolfi/kubeflow-pipelinespkg:apk/wolfi/opensearch-dashboards-2pkg:apk/wolfi/opensearch-dashboards-2-alerting-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-anomaly-detection-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-compatpkg:apk/wolfi/opensearch-dashboards-2-configpkg:apk/wolfi/opensearch-dashboards-2-dashboards-mapspkg:apk/wolfi/opensearch-dashboards-2-dashboards-notificationspkg:apk/wolfi/opensearch-dashboards-2-dashboards-observabilitypkg:apk/wolfi/opensearch-dashboards-2-dashboards-query-workbenchpkg:apk/wolfi/opensearch-dashboards-2-dashboards-reportingpkg:apk/wolfi/opensearch-dashboards-2-dashboards-search-relevancepkg:apk/wolfi/opensearch-dashboards-2-dashboards-visualizationspkg:apk/wolfi/opensearch-dashboards-2-index-management-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-ml-commons-dashboardspkg:apk/wolfi/opensearch-dashboards-2-security-analytics-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-security-dashboards-pluginpkg:npm/%40cypress/requestpkg:npm/request
< 2.14.3-r3+ 51 more
- (no CPE)range: < 2.14.3-r3
- (no CPE)range: < 14.21.3-r1
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.14.3-r3
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 2.19.1-r0
- (no CPE)range: < 3.0.0
- (no CPE)range: <= 2.88.2
Patches
Vulnerability mechanics
References
13- github.com/advisories/GHSA-p8p7-x288-28g6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-28155ghsaADVISORY
- doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdfghsaWEB
- github.com/cypress-io/request/blob/master/lib/redirect.jsghsaWEB
- github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024fghsaWEB
- github.com/cypress-io/request/pull/28ghsaWEB
- github.com/cypress-io/request/releases/tag/v3.0.0ghsaWEB
- github.com/github/advisory-database/pull/2500ghsaWEB
- github.com/request/request/blob/master/lib/redirect.jsghsaWEB
- github.com/request/request/issues/3442ghsaWEB
- github.com/request/request/pull/3444ghsaWEB
- security.netapp.com/advisory/ntap-20230413-0007ghsaWEB
- security.netapp.com/advisory/ntap-20230413-0007/mitre
News mentions
0No linked articles in our index yet.