CVE-2023-28155
SSRF vulnerability in request
What is CVE-2023-28155 About?
The `request` package for Node.js (through 2.88.2) and `@cypress/request` (prior to 3.0.0) are vulnerable to Server-Side Request Forgery (SSRF) due to a bypass of existing mitigations. This bypass occurs through cross-protocol redirects (HTTP to HTTPS or vice-versa), enabling an attacker to manipulate server-side requests. Exploitation involves controlling a server that performs such redirects and is moderately complex.
Affected Software
- request
- <=2.88.2
- @cypress/request
- <3.0.0
Technical Details
The `request` package (Node.js) and `@cypress/request` (prior to 3.0.0) implement SSRF mitigations that are insufficient when confronted with cross-protocol redirects. Specifically, if a request is initiated (e.g., HTTP) and then redirected by an attacker-controlled server to a different protocol (e.g., HTTPS, or vice-versa), the package's internal validation mechanisms fail to properly identify and block the redirection to an unauthorized internal resource or an otherwise restricted endpoint. This allows an attacker, by controlling the redirecting server, to force the vulnerable application to make requests to arbitrary internal or external services, bypassing intended security boundaries.
What is the Impact of CVE-2023-28155?
Successful exploitation may allow attackers to perform Server-Side Request Forgery (SSRF), enabling them to access internal network resources, bypass firewalls, conduct port scanning, or interact with other services not intended for external communication.
What is the Exploitability of CVE-2023-28155?
Exploitation of this vulnerability is of moderate complexity. It requires an attacker to control a server that can perform cross-protocol redirects. The attack is remote, as it involves the vulnerable application making requests to the attacker's server. There are no specific authentication or privilege requirements for the vulnerability itself, beyond the ability of the application to interact with external URLs. A user action, such as visiting a crafted URL or submitting data to an application that then uses the vulnerable `request` package, might be necessary to trigger the initial request to the attacker-controlled server. The primary risk factor is applications that process user-supplied URLs or make requests based on external input using the vulnerable package.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-28155?
Available Upgrade Options
- @cypress/request
- <3.0.0 → Upgrade to 3.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116
- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf
- https://github.com/request/request/issues/3442
- https://github.com/request/request
- https://security.netapp.com/advisory/ntap-20230413-0007
- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf
- https://github.com/github/advisory-database/pull/2500
- https://github.com/request/request/issues/3442
- https://security.netapp.com/advisory/ntap-20230413-0007/
- https://github.com/cypress-io/request/releases/tag/v3.0.0
What are Similar Vulnerabilities to CVE-2023-28155?
Similar Vulnerabilities: CVE-2023-39325 , CVE-2023-44270 , CVE-2022-48590 , CVE-2023-38407 , CVE-2023-32002
