*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.
Vulnerable Library - node-prowl-0.1.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: f4d3d15ed771fb9b939d60a12f7e7eb1c09ea8d0
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-28155
### Vulnerable Library - request-2.88.0.tgzSimplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - node-prowl-0.1.8.tgz (Root Library) - :x: **request-2.88.0.tgz** (Vulnerable Library)
Found in HEAD commit: f4d3d15ed771fb9b939d60a12f7e7eb1c09ea8d0
Found in base branch: unstable
### Vulnerability DetailsThe request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 4 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: N/A - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-p8p7-x288-28g6
Release Date: 2023-03-16
Fix Resolution: @cypress/request - 3.0.0