search

jjj333-p / spam-police

A matrix bot to monitor and respond to investment scam spamming across the matrix platform, for example in rooms with a permanently offline admin.
GNU Affero General Public License v3.0
21 stars 8 forks source link

@cypress/request package vuln/abandonment #42

Closed jjj333-p closed 8 months ago

jjj333-p commented 10 months ago

The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).

NOTE: The request package is no longer supported by the maintainer.

https://github.com/jjj333-p/spam-police/security/dependabot/1

jjj333-p commented 9 months ago

i have this here because ive no idea what to do :skull:

jjj333-p commented 8 months ago

should be fine tbh