Vulnerabilities

1 via 2 paths

Dependencies

263

Source

GitHub

Commit

5a85f40b

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

medium severity
new

Server-side Request Forgery (SSRF)

  • Vulnerable module: request
  • Introduced through: request-json-rpc2@1.0.0 and telegram-bot-api-express@1.1.0

Detailed paths

  • Introduced through: prosto-diary@gotois/ProstoDiary_bot#5a85f40bdcacca74e56cb2935d1a5f28d9ab66bb request-json-rpc2@1.0.0 request@2.88.2
  • Introduced through: prosto-diary@gotois/ProstoDiary_bot#5a85f40bdcacca74e56cb2935d1a5f28d9ab66bb telegram-bot-api-express@1.1.0 node-telegram-bot-api@0.60.0 request@2.88.2

Overview

request is a simplified http request client. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to insufficient checks in the lib/redirect.js file by allowing insecure redirects in the default configuration, via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).

NOTE: This package has been deprecated, so a fix is not expected. See https://github.com/request/request/issues/3142.

Remediation

A fix was pushed into the master branch but not yet published.

References