Vulnerability Description
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Request Project | Request | <= 2.88.1 |
Related Weaknesses (CWE)
References
- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdfExploitPatchTechnical Description
- https://github.com/request/request/issues/3442ExploitIssue TrackingPatch
- https://github.com/request/request/pull/3444Patch
- https://security.netapp.com/advisory/ntap-20230413-0007/
- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdfExploitPatchTechnical Description
- https://github.com/request/request/issues/3442ExploitIssue TrackingPatch
- https://github.com/request/request/pull/3444Patch
- https://security.netapp.com/advisory/ntap-20230413-0007/
FAQ
What is CVE-2023-28155?
CVE-2023-28155 is a vulnerability with a CVSS score of 6.1 (MEDIUM). The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This v...
How severe is CVE-2023-28155?
CVE-2023-28155 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-28155?
Check the references section above for vendor advisories and patch information. Affected products include: Request Project Request.