Description
The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).
NOTE: The request package is no longer supported by the maintainer.
Recommendation
Update the @cypress/request package to the latest compatible version. Followings are version details:
- Affected version(s): <= 2.88.12
- Patched version(s): 3.0.0
References
- GHSA-p8p7-x288-28g6
- doyensec.com
- security.netapp.com
- CVE-2023-28155
- CWE-918
- CAPEC-310
- OWASP 2021-A10
- OWASP 2021-A6
Related Issues
- Server-Side Request Forgery (SSRF) in vriteio/vrite - CVE-2023-5572
- google-translate-api-browser Server-Side Request Forgery (SSRF) Vulnerability - CVE-2023-48711
- Axios vulnerable to Server-Side Request Forgery - CVE-2020-28168
- Server-Side Request Forgery in axios - CVE-2024-39338
- Tags:
- npm
- @cypress/request
Anything's wrong? Let us know Last updated on March 21, 2024