NodeJS/request/2.9.200

Simplified HTTP request client.

https://www.npmjs.com/package/request
Apache-2.0

3 Security Vulnerabilities

Remote Memory Exposure in request

Published date: 2018-11-09T17:44:01Z
CVE: CVE-2017-16026
Links:

Affected versions of request will disclose local system memory to remote systems in certain circumstances. When a multipart request is made, and the type of body is number, then a buffer of that size will be allocated and sent to the remote server as the body.

Proof of Concept

var request = require('request');
var http = require('http');

var serveFunction = function (req, res){
    req.on('data', function (data) {
            console.log(data)
        });
    res.end();
};
var server = http.createServer(serveFunction);
server.listen(8000);

request({
    method: "POST",
    uri: 'http://localhost:8000',
    multipart: [{body:500}]
},function(err,res,body){});

Recommendation

Update to version 2.68.0 or later

Affected versions: ["2.2.6", "2.9.0", "2.9.1", "2.9.2", "2.9.3", "2.9.100", "2.9.151", "2.9.153", "2.9.200", "2.9.201", "2.10.0", "2.11.1", "2.11.4", "2.12.0", "2.14.0", "2.16.0", "2.16.2", "2.18.0", "2.19.0", "2.26.0", "2.28.0", "2.30.0", "2.33.0", "2.34.0", "2.36.0", "2.37.0", "2.39.0", "2.43.0", "2.44.0", "2.45.0", "2.46.0", "2.2.9", "2.9.150", "2.9.152", "2.9.202", "2.9.203", "2.11.0", "2.11.2", "2.11.3", "2.16.4", "2.16.6", "2.20.0", "2.21.0", "2.22.0", "2.23.0", "2.24.0", "2.25.0", "2.27.0", "2.29.0", "2.31.0", "2.32.0", "2.35.0", "2.38.0", "2.40.0", "2.41.0", "2.42.0", "2.49.0", "2.50.0", "2.51.0", "2.52.0", "2.55.0", "2.56.0", "2.57.0", "2.65.0", "2.66.0", "2.53.0", "2.54.0", "2.58.0", "2.59.0", "2.60.0", "2.61.0", "2.62.0", "2.63.0", "2.64.0", "2.67.0"]
Secure versions: []

Server-Side Request Forgery in Request

Published date: 2023-03-16T15:30:19Z
CVE: CVE-2023-28155
Links:

The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).

NOTE: The request package is no longer supported by the maintainer.

Affected versions: ["0.10.0", "0.9.1", "1.0.0", "1.1.0", "1.1.1", "1.2.0", "1.9.0", "1.9.1", "1.9.2", "1.9.5", "1.9.7", "2.0.0", "2.0.4", "2.0.5", "2.2.0", "2.2.6", "2.9.0", "2.9.1", "2.9.2", "2.9.3", "2.9.100", "2.9.151", "2.9.153", "2.9.200", "2.9.201", "2.10.0", "2.11.1", "2.11.4", "2.12.0", "2.14.0", "2.16.0", "2.16.2", "2.18.0", "2.19.0", "2.26.0", "2.28.0", "2.30.0", "2.33.0", "2.34.0", "2.36.0", "2.37.0", "2.39.0", "2.43.0", "2.44.0", "2.45.0", "2.46.0", "2.47.0", "2.49.0", "2.50.0", "2.51.0", "2.52.0", "2.55.0", "2.56.0", "2.57.0", "2.65.0", "2.66.0", "2.68.0", "2.69.0", "2.71.0", "2.74.0", "2.78.0", "2.80.0", "2.81.0", "2.82.0", "2.83.0", "2.84.0", "2.85.0", "2.86.0", "2.87.0", "2.88.0", "0.8.3", "0.9.0", "0.9.5", "1.9.3", "1.9.8", "1.9.9", "2.0.1", "2.0.2", "2.0.3", "2.1.0", "2.1.1", "2.2.5", "2.2.9", "2.9.150", "2.9.152", "2.9.202", "2.9.203", "2.11.0", "2.11.2", "2.11.3", "2.16.4", "2.16.6", "2.20.0", "2.21.0", "2.22.0", "2.23.0", "2.24.0", "2.25.0", "2.27.0", "2.29.0", "2.31.0", "2.32.0", "2.35.0", "2.38.0", "2.40.0", "2.41.0", "2.42.0", "2.48.0", "2.53.0", "2.54.0", "2.58.0", "2.59.0", "2.60.0", "2.61.0", "2.62.0", "2.63.0", "2.64.0", "2.67.0", "2.70.0", "2.72.0", "2.73.0", "2.75.0", "2.76.0", "2.77.0", "2.79.0", "2.88.2"]
Secure versions: []

Remote Memory Exposure

Published date: 2017-04-14
CVSS Score: 5.3
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Coordinating vendor: ^Lift Security
Links:

Request is an http client.

If a request is made using multipart, and the body type is a number, then the specified number of non-zero memory is passed in the body.

Example to reproduce: ``` var request = require('request'); var http = require('http');

var serveFunction = function (req, res){ req.on('data', function (data) { console.log(data) }); res.end(); }; var server = http.createServer(serveFunction); server.listen(8000);

request({ method: POST, uri: 'http://localhost:8000', multipart: [{body:500}] },function(err,res,body){}); ```

Affected versions: ["2.2.6", "2.2.9", "2.9.0", "2.9.1", "2.9.2", "2.9.3", "2.9.100", "2.9.150", "2.9.151", "2.9.152", "2.9.153", "2.9.200", "2.9.201", "2.9.202", "2.9.203", "2.10.0", "2.11.0", "2.11.1", "2.11.2", "2.11.3", "2.11.4", "2.12.0", "2.14.0", "2.16.0", "2.16.2", "2.16.4", "2.16.6", "2.18.0", "2.19.0", "2.20.0", "2.21.0", "2.22.0", "2.23.0", "2.24.0", "2.25.0", "2.26.0", "2.27.0", "2.28.0", "2.29.0", "2.30.0", "2.31.0", "2.32.0", "2.33.0", "2.34.0", "2.35.0", "2.36.0", "2.37.0", "2.38.0", "2.39.0", "2.40.0", "2.41.0", "2.42.0", "2.43.0", "2.44.0", "2.45.0", "2.46.0", "2.52.0", "2.53.0", "2.54.0", "2.55.0", "2.56.0", "2.57.0", "2.58.0", "2.59.0", "2.60.0", "2.61.0", "2.62.0", "2.63.0", "2.64.0", "2.65.0", "2.66.0", "2.67.0", "0.10.0", "0.8.3", "0.9.0", "0.9.1", "0.9.5", "1.0.0", "1.1.0", "1.1.1", "1.2.0", "1.9.0", "1.9.1", "1.9.2", "1.9.3", "1.9.5", "1.9.7", "1.9.8", "1.9.9", "2.0.0", "2.0.1", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.1.0", "2.1.1", "2.2.0", "2.2.5", "NodeJS/request/2.2.6", "NodeJS/request/2.9.0", "NodeJS/request/2.9.1", "NodeJS/request/2.9.2", "NodeJS/request/2.9.3", "NodeJS/request/2.9.100", "NodeJS/request/2.9.151", "NodeJS/request/2.9.153", "NodeJS/request/2.9.200", "NodeJS/request/2.9.201", "NodeJS/request/2.10.0", "NodeJS/request/2.11.1", "NodeJS/request/2.11.4", "NodeJS/request/2.12.0", "NodeJS/request/2.14.0", "NodeJS/request/2.16.0", "NodeJS/request/2.16.2", "NodeJS/request/2.18.0", "NodeJS/request/2.19.0", "NodeJS/request/2.26.0", "NodeJS/request/2.28.0", "NodeJS/request/2.30.0", "NodeJS/request/2.33.0", "NodeJS/request/2.34.0", "NodeJS/request/2.36.0", "NodeJS/request/2.37.0", "NodeJS/request/2.39.0", "NodeJS/request/2.43.0", "NodeJS/request/2.44.0", "NodeJS/request/2.45.0", "NodeJS/request/2.46.0", "NodeJS/request/2.2.9", "NodeJS/request/2.9.150", "NodeJS/request/2.9.152", "NodeJS/request/2.9.202", "NodeJS/request/2.9.203", "NodeJS/request/2.11.0", "NodeJS/request/2.11.2", "NodeJS/request/2.11.3", "NodeJS/request/2.16.4", "NodeJS/request/2.16.6", "NodeJS/request/2.20.0", "NodeJS/request/2.21.0", "NodeJS/request/2.22.0", "NodeJS/request/2.23.0", "NodeJS/request/2.24.0", "NodeJS/request/2.25.0", "NodeJS/request/2.27.0", "NodeJS/request/2.29.0", "NodeJS/request/2.31.0", "NodeJS/request/2.32.0", "NodeJS/request/2.35.0", "NodeJS/request/2.38.0", "NodeJS/request/2.40.0", "NodeJS/request/2.41.0", "NodeJS/request/2.42.0", "NodeJS/request/2.52.0", "NodeJS/request/2.55.0", "NodeJS/request/2.56.0", "NodeJS/request/2.57.0", "NodeJS/request/2.65.0", "NodeJS/request/2.66.0", "NodeJS/request/2.53.0", "NodeJS/request/2.54.0", "NodeJS/request/2.58.0", "NodeJS/request/2.59.0", "NodeJS/request/2.60.0", "NodeJS/request/2.61.0", "NodeJS/request/2.62.0", "NodeJS/request/2.63.0", "NodeJS/request/2.64.0", "NodeJS/request/2.67.0"]
Secure versions: []
Recommendation: Upgrade request to version 2.68.0 or higher. Note that versions 2.47.0-2.51.0 are not vulnerable due to a node level error that occurs when a number is passed as the body.

126 Other Versions

Version License Security Released
2.39.0 Apache-2.0 3 2014-07-24 - 02:20 over 11 years
2.38.0 Apache-2.0 3 2014-07-22 - 13:44 over 11 years
2.37.0 Apache-2.0 3 2014-07-07 - 17:24 over 11 years
2.36.0 Apache-2.0 OR Version 2.0 3 2014-05-19 - 20:58 over 11 years
2.35.0 Apache-2.0 OR Version 2.0 3 2014-05-17 - 20:56 over 11 years
2.34.0 Apache-2.0 OR Version 2.0 3 2014-02-18 - 19:35 over 11 years
2.33.0 Apache-2.0 3 2014-01-16 - 19:48 almost 12 years
2.32.0 Apache-2.0 3 2014-01-16 - 19:33 almost 12 years
2.31.0 Apache-2.0 3 2014-01-08 - 02:57 almost 12 years
2.30.0 Apache-2.0 3 2013-12-13 - 19:17 almost 12 years
2.29.0 Apache-2.0 3 2013-12-06 - 20:05 almost 12 years
2.28.0 Apache-2.0 3 2013-12-04 - 19:42 almost 12 years
2.27.0 Apache-2.0 3 2013-08-15 - 21:30 about 12 years
2.26.0 Apache-2.0 3 2013-08-07 - 16:31 about 12 years
2.25.0 Apache-2.0 3 2013-07-23 - 21:51 over 12 years
2.24.0 Apache-2.0 3 2013-07-23 - 20:51 over 12 years
2.23.0 Apache-2.0 3 2013-07-23 - 02:45 over 12 years
2.22.0 Apache-2.0 3 2013-07-05 - 17:12 over 12 years
2.21.0 Apache-2.0 3 2013-04-30 - 21:28 over 12 years
2.20.0 Apache-2.0 3 2013-04-22 - 21:49 over 12 years
2.19.0 Apache-2.0 3 2013-04-22 - 16:48 over 12 years
2.18.0 Apache-2.0 3 2013-04-22 - 15:53 over 12 years
2.16.6 Apache-2.0 3 2013-03-18 - 22:48 over 12 years
2.16.4 Apache-2.0 3 2013-03-18 - 19:16 over 12 years
2.16.2 Apache-2.0 3 2013-03-13 - 20:46 over 12 years
2.16.0 Apache-2.0 3 2013-03-13 - 17:48 over 12 years
2.14.0 Apache-2.0 3 2013-02-19 - 23:53 over 12 years
2.12.0 Apache-2.0 3 2012-11-09 - 21:49 almost 13 years
2.11.4 Apache-2.0 3 2012-09-17 - 19:34 about 13 years
2.11.3 Apache-2.0 3 2012-09-17 - 19:20 about 13 years
2.11.2 Apache-2.0 3 2012-09-17 - 19:19 about 13 years
2.11.1 Apache-2.0 3 2012-09-04 - 15:20 about 13 years
2.11.0 Apache-2.0 3 2012-08-29 - 19:18 about 13 years
2.10.0 Apache-2.0 3 2012-08-01 - 20:56 about 13 years
2.9.203 Apache-2.0 3 2012-06-28 - 19:58 over 13 years
2.9.202 Apache-2.0 3 2012-04-14 - 01:48 over 13 years
2.9.201 Apache-2.0 3 2012-04-12 - 17:44 over 13 years
2.9.200 Apache-2.0 3 2012-04-08 - 00:41 over 13 years
2.9.153 Apache-2.0 3 2012-03-01 - 23:43 over 13 years
2.9.152 Apache-2.0 3 2012-02-25 - 20:55 over 13 years
2.9.151 Apache-2.0 3 2012-02-24 - 23:08 over 13 years
2.9.150 Apache-2.0 3 2012-02-24 - 17:53 over 13 years
2.9.100 Apache-2.0 3 2012-01-20 - 21:25 almost 14 years
2.9.3 Apache-2.0 3 2011-12-28 - 01:49 almost 14 years
2.9.2 Apache-2.0 3 2011-12-28 - 01:04 almost 14 years
2.9.1 Apache-2.0 3 2011-12-28 - 01:02 almost 14 years
2.9.0 Apache-2.0 3 2011-12-28 - 00:47 almost 14 years
2.2.9 Apache-2.0 3 2011-12-01 - 08:39 almost 14 years
2.2.6 Apache-2.0 3 2011-12-01 - 07:38 almost 14 years
2.2.5 Apache-2.0 1 2011-11-17 - 06:35 almost 14 years