CVE-2023-28155

About vulnerability

The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Affected product:

Acorn , Angular , Next.js , Node.js , browser-env , cypress-request , jQuery , javascript-test-reporter , jpm , jsdom , last-release-npm , loopback , loopback-connector-remote , npm-registry-client , protractor , request , semantic-release , sign-addon , strong-remoting , styled-jsx , webdriver-manager , window , yui

Affected packages:

request @ 2.36.0 (+68 more)

The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.