Description
The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).
NOTE: The request package is no longer supported by the maintainer.
Recommendation
Update the @cypress/request package to the latest compatible version. Followings are version details:
- Affected version(s): <= 2.88.12
- Patched version(s): 3.0.0
References
- GHSA-p8p7-x288-28g6
- doyensec.com
- security.netapp.com
- CVE-2023-28155
- CWE-918
- CAPEC-310
- OWASP 2021-A10
- OWASP 2021-A6
Related Issues
- pg-promise SQL Injection vulnerability - CVE-2025-29744
- njwt Prototype Pollution vulnerability - CVE-2024-34273
- Elliptic allows BER-encoded signatures - CVE-2024-42461
- ejs lacks certain pollution protection - CVE-2024-33883
- Tags:
- npm
- @cypress/request
Anything's wrong? Let us know Last updated on March 21, 2024