The request package through 2.88.2 for Node.js and the @cypress/request package through 2.88.11 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).
NOTE: The request package is no longer supported by the maintainer.
The
request
package through 2.88.2 for Node.js and the@cypress/request
package through 2.88.11 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The
request
package is no longer supported by the maintainer.