NodeJS/request/2.30.0
Simplified HTTP request client.
https://www.npmjs.com/package/request
Apache-2.0
3 Security Vulnerabilities
Remote Memory Exposure in request
Published date: 2018-11-09T17:44:01Z
CVE: CVE-2017-16026
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2017-16026
- https://github.com/advisories/GHSA-7xfp-9c55-5vqj
- https://github.com/request/request/issues/1904
- https://github.com/request/request/pull/2018
- https://www.npmjs.com/advisories/309
- https://nodesecurity.io/advisories/309
- https://github.com/request/request/pull/2022
- https://github.com/request/request/commit/29d81814bc16bc79cb112b4face8be6fc00061dd
Affected versions of request will disclose local system memory to remote systems in certain circumstances. When a multipart request is made, and the type of body is number, then a buffer of that size will be allocated and sent to the remote server as the body.
Proof of Concept
var request = require('request');
var http = require('http');
var serveFunction = function (req, res){
req.on('data', function (data) {
console.log(data)
});
res.end();
};
var server = http.createServer(serveFunction);
server.listen(8000);
request({
method: "POST",
uri: 'http://localhost:8000',
multipart: [{body:500}]
},function(err,res,body){});
Recommendation
Update to version 2.68.0 or later
Affected versions:
["2.2.6", "2.2.9", "2.9.0", "2.9.1", "2.9.2", "2.9.3", "2.9.100", "2.9.150", "2.9.151", "2.9.152", "2.9.153", "2.9.200", "2.9.201", "2.9.202", "2.9.203", "2.10.0", "2.11.0", "2.11.1", "2.11.2", "2.11.3", "2.11.4", "2.12.0", "2.14.0", "2.16.0", "2.16.2", "2.16.4", "2.16.6", "2.18.0", "2.19.0", "2.20.0", "2.21.0", "2.22.0", "2.23.0", "2.24.0", "2.25.0", "2.26.0", "2.27.0", "2.28.0", "2.29.0", "2.30.0", "2.31.0", "2.32.0", "2.33.0", "2.34.0", "2.35.0", "2.36.0", "2.37.0", "2.38.0", "2.39.0", "2.40.0", "2.41.0", "2.42.0", "2.43.0", "2.44.0", "2.45.0", "2.46.0", "2.49.0", "2.50.0", "2.51.0", "2.52.0", "2.53.0", "2.54.0", "2.55.0", "2.56.0", "2.57.0", "2.58.0", "2.59.0", "2.60.0", "2.61.0", "2.62.0", "2.63.0", "2.64.0", "2.65.0", "2.66.0", "2.67.0"]
Secure versions:
[]
Server-Side Request Forgery in Request
Published date: 2023-03-16T15:30:19Z
CVE: CVE-2023-28155
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2023-28155
- https://github.com/request/request/issues/3442
- https://github.com/request/request/pull/3444
- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf
- https://github.com/advisories/GHSA-p8p7-x288-28g6
- https://security.netapp.com/advisory/ntap-20230413-0007/
- https://github.com/github/advisory-database/pull/2500
- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116
- https://github.com/request/request/blob/master/lib/redirect.js#L111
- https://github.com/cypress-io/request/pull/28
- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f
- https://github.com/cypress-io/request/releases/tag/v3.0.0
- https://security.netapp.com/advisory/ntap-20230413-0007
The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).
NOTE: The request package is no longer supported by the maintainer.
Affected versions:
["0.10.0", "0.8.3", "0.9.0", "0.9.1", "0.9.5", "1.0.0", "1.1.0", "1.1.1", "1.2.0", "1.9.0", "1.9.1", "1.9.2", "1.9.3", "1.9.5", "1.9.7", "1.9.8", "1.9.9", "2.0.0", "2.0.1", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.1.0", "2.1.1", "2.2.0", "2.2.5", "2.2.6", "2.2.9", "2.9.0", "2.9.1", "2.9.2", "2.9.3", "2.9.100", "2.9.150", "2.9.151", "2.9.152", "2.9.153", "2.9.200", "2.9.201", "2.9.202", "2.9.203", "2.10.0", "2.11.0", "2.11.1", "2.11.2", "2.11.3", "2.11.4", "2.12.0", "2.14.0", "2.16.0", "2.16.2", "2.16.4", "2.16.6", "2.18.0", "2.19.0", "2.20.0", "2.21.0", "2.22.0", "2.23.0", "2.24.0", "2.25.0", "2.26.0", "2.27.0", "2.28.0", "2.29.0", "2.30.0", "2.31.0", "2.32.0", "2.33.0", "2.34.0", "2.35.0", "2.36.0", "2.37.0", "2.38.0", "2.39.0", "2.40.0", "2.41.0", "2.42.0", "2.43.0", "2.44.0", "2.45.0", "2.46.0", "2.47.0", "2.48.0", "2.49.0", "2.50.0", "2.51.0", "2.52.0", "2.53.0", "2.54.0", "2.55.0", "2.56.0", "2.57.0", "2.58.0", "2.59.0", "2.60.0", "2.61.0", "2.62.0", "2.63.0", "2.64.0", "2.65.0", "2.66.0", "2.67.0", "2.68.0", "2.69.0", "2.70.0", "2.71.0", "2.72.0", "2.73.0", "2.74.0", "2.75.0", "2.76.0", "2.77.0", "2.78.0", "2.79.0", "2.80.0", "2.81.0", "2.82.0", "2.83.0", "2.84.0", "2.85.0", "2.86.0", "2.87.0", "2.88.0", "2.88.2"]
Secure versions:
[]
Remote Memory Exposure
Published date: 2017-04-14
CVSS Score: 5.3
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Coordinating vendor: ^Lift Security
Request is an http client.
If a request is made using multipart, and the body type is a number, then the specified number of non-zero memory is passed in the body.
Example to reproduce: ``` var request = require('request'); var http = require('http');
var serveFunction = function (req, res){ req.on('data', function (data) { console.log(data) }); res.end(); }; var server = http.createServer(serveFunction); server.listen(8000);
request({
method: POST
,
uri: 'http://localhost:8000',
multipart: [{body:500}]
},function(err,res,body){});
```
Affected versions:
["2.2.6", "2.2.9", "2.9.0", "2.9.1", "2.9.2", "2.9.3", "2.9.100", "2.9.150", "2.9.151", "2.9.152", "2.9.153", "2.9.200", "2.9.201", "2.9.202", "2.9.203", "2.10.0", "2.11.0", "2.11.1", "2.11.2", "2.11.3", "2.11.4", "2.12.0", "2.14.0", "2.16.0", "2.16.2", "2.16.4", "2.16.6", "2.18.0", "2.19.0", "2.20.0", "2.21.0", "2.22.0", "2.23.0", "2.24.0", "2.25.0", "2.26.0", "2.27.0", "2.28.0", "2.29.0", "2.30.0", "2.31.0", "2.32.0", "2.33.0", "2.34.0", "2.35.0", "2.36.0", "2.37.0", "2.38.0", "2.39.0", "2.40.0", "2.41.0", "2.42.0", "2.43.0", "2.44.0", "2.45.0", "2.46.0", "2.52.0", "2.53.0", "2.54.0", "2.55.0", "2.56.0", "2.57.0", "2.58.0", "2.59.0", "2.60.0", "2.61.0", "2.62.0", "2.63.0", "2.64.0", "2.65.0", "2.66.0", "2.67.0"]
Secure versions:
[]
Recommendation:
Upgrade request to version 2.68.0 or higher.
Note that versions 2.47.0-2.51.0 are not vulnerable due to a node level error that occurs when a number is passed as the body.
126 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 2.2.0 | Apache-2.0 | 1 | 2011-11-06 - 01:40 | over 12 years |
| 2.1.1 | Apache-2.0 | 1 | 2011-08-23 - 03:59 | over 12 years |
| 2.1.0 | Apache-2.0 | 1 | 2011-08-15 - 04:03 | over 12 years |
| 2.0.5 | Apache-2.0 | 1 | 2011-08-13 - 21:46 | over 12 years |
| 2.0.4 | Apache-2.0 | 1 | 2011-08-13 - 21:28 | over 12 years |
| 2.0.3 | Apache-2.0 | 1 | 2011-08-12 - 23:16 | over 12 years |
| 2.0.2 | Apache-2.0 | 1 | 2011-07-29 - 20:48 | over 12 years |
| 2.0.1 | Apache-2.0 | 1 | 2011-07-21 - 22:22 | almost 13 years |
| 2.0.0 | Apache-2.0 | 1 | 2011-07-21 - 21:10 | almost 13 years |
| 1.9.9 | Apache-2.0 | 1 | 2011-07-21 - 02:03 | almost 13 years |
| 1.9.8 | Apache-2.0 | 1 | 2011-06-23 - 21:15 | almost 13 years |
| 1.9.7 | Apache-2.0 | 1 | 2011-06-23 - 17:36 | almost 13 years |
| 1.9.5 | Apache-2.0 | 1 | 2011-03-27 - 22:30 | about 13 years |
| 1.9.3 | Apache-2.0 | 1 | 2011-03-22 - 18:32 | about 13 years |
| 1.9.2 | Apache-2.0 | 1 | 2011-03-22 - 18:29 | about 13 years |
| 1.9.1 | Apache-2.0 | 1 | 2011-03-22 - 18:07 | about 13 years |
| 1.9.0 | Apache-2.0 | 1 | 2011-02-11 - 00:10 | about 13 years |
| 1.2.0 | Apache-2.0 | 1 | 2011-01-30 - 22:05 | about 13 years |
| 1.1.1 | Apache-2.0 | 1 | 2011-01-23 - 01:38 | over 13 years |
| 1.1.0 | Apache-2.0 | 1 | 2011-01-23 - 01:14 | over 13 years |
| 1.0.0 | Apache-2.0 | 1 | 2011-01-22 - 00:36 | over 13 years |
| 0.10.0 | Apache-2.0 | 1 | 2011-01-22 - 00:36 | over 13 years |
| 0.9.5 | Apache-2.0 | 1 | 2011-01-22 - 00:36 | over 13 years |
| 0.9.1 | Apache-2.0 | 1 | 2011-01-22 - 00:36 | over 13 years |
| 0.9.0 | Apache-2.0 | 1 | 2011-01-22 - 00:36 | over 13 years |
| 0.8.3 | Apache-2.0 | 1 | 2011-01-22 - 00:36 | over 13 years |