CVE-2023-28155

The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Database specific

{
    "cna_assigner": "mitre",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/28xxx/CVE-2023-28155.json"
}

References

Affected packages

Git / github.com/request/request

Affected ranges

Type: GIT
Repo: https://github.com/request/request
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

8162961dfdb73dc35a5a4bfeefb858c2ed2ccbb7

Affected versions

v1.*

v1.2.0

v2.*

v2.17.0

v2.18.0

v2.18.1

v2.19.0

v2.19.1

v2.20.0

v2.20.1

v2.21.0

v2.21.1

v2.22.0

v2.22.1

v2.23.0

v2.23.1

v2.24.0

v2.24.1

v2.25.0

v2.25.1

v2.26.0

v2.26.1

v2.27.0

v2.27.1

v2.28.0

v2.28.1

v2.29.0

v2.29.1

v2.30.0

v2.30.1

v2.31.0

v2.31.1

v2.32.0

v2.32.1

v2.33.0

v2.33.1

v2.34.0

v2.34.1

v2.35.0

v2.35.1

v2.36.0

v2.36.1

v2.37.0

v2.37.1

v2.38.0

v2.38.1

v2.39.0

v2.39.1

v2.40.0

v2.40.1

v2.41.0

v2.41.1

v2.42.0

v2.42.1

v2.43.0

v2.43.1

v2.44.0

v2.44.1

v2.45.0

v2.45.1

v2.46.0

v2.46.1

v2.47.0

v2.47.1

v2.48.0

v2.48.1

v2.52.0

v2.52.1

v2.53.0

v2.53.1

v2.54.0

v2.54.1

v2.55.0

v2.55.1

v2.56.0

v2.56.1

v2.57.0

v2.57.1

v2.58.0

v2.58.1

v2.59.0

v2.59.1

v2.60.0

v2.60.1

v2.66.0

v2.66.1

v2.67.0

v2.67.1

v2.68.0

v2.68.1

v2.70.0

v2.70.1

v2.71.0

v2.71.1

v2.72.0

v2.72.1

v2.73.0

v2.73.1

v2.74.0

v2.74.1

v2.75.0

v2.75.1

v2.76.0

v2.76.1

v2.77.0

v2.77.1

v2.78.0

v2.78.1

v2.79.0

v2.79.1

v2.80.0

v2.80.1

v2.82.0

v2.82.1

v2.83.0

v2.83.1

v2.84.0

v2.84.1

v2.85.0

v2.85.1

v2.86.0

v2.86.1

v2.87.0

v2.87.1

v2.88.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-28155.json"