Server-Side Request Forgery in Request

cypress-io / request

🏊🏾 Simplified HTTP request client.

Apache License 2.0

11 stars 15 forks source link

Server-Side Request Forgery in Request #34

Closed vadimka123 closed 1 year ago

vadimka123 commented 1 year ago

The request package through 2.88.2 for Node.js and the @cypress/request package through 2.88.11 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).

NOTE: The request package is no longer supported by the maintainer.

LubosK commented 1 year ago

bump

ewoelfel commented 1 year ago

duplicate of #27 pr fixing it can be found under https://github.com/cypress-io/request/pull/28

MikeMcC399 commented 1 year ago

I suggest to close this issue, since it is a duplicate of #27