NodeJS/request/2.30.0
Simplified HTTP request client.
https://www.npmjs.com/package/request
Apache-2.0
3 Security Vulnerabilities
Remote Memory Exposure in request
- https://nvd.nist.gov/vuln/detail/CVE-2017-16026
- https://github.com/advisories/GHSA-7xfp-9c55-5vqj
- https://github.com/request/request/issues/1904
- https://github.com/request/request/pull/2018
- https://www.npmjs.com/advisories/309
- https://nodesecurity.io/advisories/309
- https://github.com/request/request/pull/2022
- https://github.com/request/request/commit/29d81814bc16bc79cb112b4face8be6fc00061dd
Affected versions of request
will disclose local system memory to remote systems in certain circumstances. When a multipart request is made, and the type of body
is number
, then a buffer of that size will be allocated and sent to the remote server as the body.
Proof of Concept
var request = require('request');
var http = require('http');
var serveFunction = function (req, res){
req.on('data', function (data) {
console.log(data)
});
res.end();
};
var server = http.createServer(serveFunction);
server.listen(8000);
request({
method: "POST",
uri: 'http://localhost:8000',
multipart: [{body:500}]
},function(err,res,body){});
Recommendation
Update to version 2.68.0 or later
Server-Side Request Forgery in Request
- https://nvd.nist.gov/vuln/detail/CVE-2023-28155
- https://github.com/request/request/issues/3442
- https://github.com/request/request/pull/3444
- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf
- https://github.com/advisories/GHSA-p8p7-x288-28g6
- https://security.netapp.com/advisory/ntap-20230413-0007/
The Request package through 2.88.2 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Remote Memory Exposure
Request is an http client.
If a request is made using multipart
, and the body type is a number
, then the specified number of non-zero memory is passed in the body.
Example to reproduce: ``` var request = require('request'); var http = require('http');
var serveFunction = function (req, res){ req.on('data', function (data) { console.log(data) }); res.end(); }; var server = http.createServer(serveFunction); server.listen(8000);
request({
method: POST
,
uri: 'http://localhost:8000',
multipart: [{body:500}]
},function(err,res,body){});
```
126 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
2.88.2 | Apache-2.0 | 1 | 2020-02-11 - 16:35 | over 3 years |
2.88.0 | Apache-2.0 | 1 | 2018-08-10 - 16:26 | almost 5 years |
2.87.0 | Apache-2.0 | 1 | 2018-05-21 - 07:35 | about 5 years |
2.86.0 | Apache-2.0 | 1 | 2018-05-15 - 12:06 | about 5 years |
2.85.0 | Apache-2.0 | 1 | 2018-03-12 - 10:37 | about 5 years |
2.84.0 | Apache-2.0 | 1 | 2018-03-12 - 08:40 | about 5 years |
2.83.0 | Apache-2.0 | 1 | 2017-09-27 - 03:00 | over 5 years |
2.82.0 | Apache-2.0 | 1 | 2017-09-19 - 19:39 | over 5 years |
2.81.0 | Apache-2.0 | 1 | 2017-03-09 - 15:56 | about 6 years |
2.80.0 | Apache-2.0 | 1 | 2017-03-04 - 04:42 | about 6 years |
2.79.0 | Apache-2.0 | 1 | 2016-11-18 - 17:21 | over 6 years |
2.78.0 | Apache-2.0 | 1 | 2016-11-03 - 13:38 | over 6 years |
2.77.0 | Apache-2.0 | 1 | 2016-11-03 - 11:17 | over 6 years |
2.76.0 | Apache-2.0 | 1 | 2016-10-25 - 08:57 | over 6 years |
2.75.0 | Apache-2.0 | 1 | 2016-09-17 - 22:33 | over 6 years |
2.74.0 | Apache-2.0 | 1 | 2016-07-22 - 23:44 | almost 7 years |
2.73.0 | Apache-2.0 | 1 | 2016-07-09 - 07:43 | almost 7 years |
2.72.0 | Apache-2.0 | 1 | 2016-04-17 - 13:53 | about 7 years |
2.71.0 | Apache-2.0 | 1 | 2016-04-12 - 13:09 | about 7 years |
2.70.0 | Apache-2.0 | 1 | 2016-04-05 - 10:07 | about 7 years |
2.69.0 | Apache-2.0 | 1 | 2016-01-27 - 19:00 | over 7 years |
2.68.0 | Apache-2.0 | 1 | 2016-01-27 - 16:20 | over 7 years |
2.67.0 | Apache-2.0 | 3 | 2015-11-19 - 07:45 | over 7 years |
2.66.0 | Apache-2.0 | 3 | 2015-11-18 - 10:07 | over 7 years |
2.65.0 | Apache-2.0 | 3 | 2015-10-11 - 18:04 | over 7 years |
2.64.0 | Apache-2.0 | 3 | 2015-09-25 - 12:21 | over 7 years |
2.63.0 | Apache-2.0 | 3 | 2015-09-21 - 14:00 | over 7 years |
2.62.0 | Apache-2.0 | 3 | 2015-09-15 - 08:23 | over 7 years |
2.61.0 | Apache-2.0 | 3 | 2015-08-19 - 15:39 | almost 8 years |
2.60.0 | Apache-2.0 | 3 | 2015-07-21 - 12:29 | almost 8 years |
2.59.0 | Apache-2.0 | 3 | 2015-07-20 - 08:49 | almost 8 years |
2.58.0 | Apache-2.0 | 3 | 2015-06-16 - 11:28 | almost 8 years |
2.57.0 | Apache-2.0 | 3 | 2015-05-31 - 19:04 | almost 8 years |
2.56.0 | Apache-2.0 | 3 | 2015-05-28 - 18:03 | about 8 years |
2.55.0 | Apache-2.0 | 3 | 2015-04-05 - 04:24 | about 8 years |
2.54.0 | Apache-2.0 | 3 | 2015-03-24 - 22:01 | about 8 years |
2.53.0 | Apache-2.0 | 3 | 2015-02-02 - 16:09 | over 8 years |
2.52.0 | Apache-2.0 | 3 | 2015-02-02 - 00:58 | over 8 years |
2.51.0 | Apache-2.0 | 2 | 2014-12-10 - 15:08 | over 8 years |
2.50.0 | Apache-2.0 | 2 | 2014-12-09 - 15:36 | over 8 years |
2.49.0 | Apache-2.0 | 2 | 2014-11-28 - 18:12 | over 8 years |
2.48.0 | Apache-2.0 | 1 | 2014-11-12 - 17:08 | over 8 years |
2.47.0 | Apache-2.0 | 1 | 2014-10-26 - 23:52 | over 8 years |
2.46.0 | Apache-2.0 | 3 | 2014-10-23 - 16:34 | over 8 years |
2.45.0 | Apache-2.0 | 3 | 2014-10-06 - 00:06 | over 8 years |
2.44.0 | Apache-2.0 | 3 | 2014-09-18 - 10:53 | over 8 years |
2.43.0 | Apache-2.0 | 3 | 2014-09-18 - 10:51 | over 8 years |
2.42.0 | Apache-2.0 | 3 | 2014-09-04 - 22:24 | over 8 years |
2.41.0 | Apache-2.0 | 3 | 2014-09-04 - 20:36 | over 8 years |
2.40.0 | Apache-2.0 | 3 | 2014-08-06 - 18:29 | almost 9 years |
2.39.0 | Apache-2.0 | 3 | 2014-07-24 - 02:20 | almost 9 years |
2.38.0 | Apache-2.0 | 3 | 2014-07-22 - 13:44 | almost 9 years |
2.37.0 | Apache-2.0 | 3 | 2014-07-07 - 17:24 | almost 9 years |
2.36.0 | Apache-2.0 OR Version 2.0 | 3 | 2014-05-19 - 20:58 | about 9 years |
2.35.0 | Apache-2.0 OR Version 2.0 | 3 | 2014-05-17 - 20:56 | about 9 years |
2.34.0 | Apache-2.0 OR Version 2.0 | 3 | 2014-02-18 - 19:35 | over 9 years |
2.33.0 | Apache-2.0 | 3 | 2014-01-16 - 19:48 | over 9 years |
2.32.0 | Apache-2.0 | 3 | 2014-01-16 - 19:33 | over 9 years |
2.31.0 | Apache-2.0 | 3 | 2014-01-08 - 02:57 | over 9 years |
2.30.0 | Apache-2.0 | 3 | 2013-12-13 - 19:17 | over 9 years |
2.29.0 | Apache-2.0 | 3 | 2013-12-06 - 20:05 | over 9 years |
2.28.0 | Apache-2.0 | 3 | 2013-12-04 - 19:42 | over 9 years |
2.27.0 | Apache-2.0 | 3 | 2013-08-15 - 21:30 | almost 10 years |
2.26.0 | Apache-2.0 | 3 | 2013-08-07 - 16:31 | almost 10 years |
2.25.0 | Apache-2.0 | 3 | 2013-07-23 - 21:51 | almost 10 years |
2.24.0 | Apache-2.0 | 3 | 2013-07-23 - 20:51 | almost 10 years |
2.23.0 | Apache-2.0 | 3 | 2013-07-23 - 02:45 | almost 10 years |
2.22.0 | Apache-2.0 | 3 | 2013-07-05 - 17:12 | almost 10 years |
2.21.0 | Apache-2.0 | 3 | 2013-04-30 - 21:28 | about 10 years |
2.20.0 | Apache-2.0 | 3 | 2013-04-22 - 21:49 | about 10 years |
2.19.0 | Apache-2.0 | 3 | 2013-04-22 - 16:48 | about 10 years |
2.18.0 | Apache-2.0 | 3 | 2013-04-22 - 15:53 | about 10 years |
2.16.6 | Apache-2.0 | 3 | 2013-03-18 - 22:48 | about 10 years |
2.16.4 | Apache-2.0 | 3 | 2013-03-18 - 19:16 | about 10 years |
2.16.2 | Apache-2.0 | 3 | 2013-03-13 - 20:46 | about 10 years |
2.16.0 | Apache-2.0 | 3 | 2013-03-13 - 17:48 | about 10 years |
2.14.0 | Apache-2.0 | 3 | 2013-02-19 - 23:53 | over 10 years |
2.12.0 | Apache-2.0 | 3 | 2012-11-09 - 21:49 | over 10 years |
2.11.4 | Apache-2.0 | 3 | 2012-09-17 - 19:34 | over 10 years |
2.11.3 | Apache-2.0 | 3 | 2012-09-17 - 19:20 | over 10 years |
2.11.2 | Apache-2.0 | 3 | 2012-09-17 - 19:19 | over 10 years |
2.11.1 | Apache-2.0 | 3 | 2012-09-04 - 15:20 | over 10 years |
2.11.0 | Apache-2.0 | 3 | 2012-08-29 - 19:18 | almost 11 years |
2.10.0 | Apache-2.0 | 3 | 2012-08-01 - 20:56 | almost 11 years |
2.9.203 | Apache-2.0 | 3 | 2012-06-28 - 19:58 | almost 11 years |
2.9.202 | Apache-2.0 | 3 | 2012-04-14 - 01:48 | about 11 years |
2.9.201 | Apache-2.0 | 3 | 2012-04-12 - 17:44 | about 11 years |
2.9.200 | Apache-2.0 | 3 | 2012-04-08 - 00:41 | about 11 years |
2.9.153 | Apache-2.0 | 3 | 2012-03-01 - 23:43 | about 11 years |
2.9.152 | Apache-2.0 | 3 | 2012-02-25 - 20:55 | over 11 years |
2.9.151 | Apache-2.0 | 3 | 2012-02-24 - 23:08 | over 11 years |
2.9.150 | Apache-2.0 | 3 | 2012-02-24 - 17:53 | over 11 years |
2.9.100 | Apache-2.0 | 3 | 2012-01-20 - 21:25 | over 11 years |
2.9.3 | Apache-2.0 | 3 | 2011-12-28 - 01:49 | over 11 years |
2.9.2 | Apache-2.0 | 3 | 2011-12-28 - 01:04 | over 11 years |
2.9.1 | Apache-2.0 | 3 | 2011-12-28 - 01:02 | over 11 years |
2.9.0 | Apache-2.0 | 3 | 2011-12-28 - 00:47 | over 11 years |
2.2.9 | Apache-2.0 | 3 | 2011-12-01 - 08:39 | over 11 years |
2.2.6 | Apache-2.0 | 3 | 2011-12-01 - 07:38 | over 11 years |
2.2.5 | Apache-2.0 | 1 | 2011-11-17 - 06:35 | over 11 years |