{"id":"CVE-2023-28155","details":"The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.","aliases":["GHSA-p8p7-x288-28g6"],"modified":"2026-04-10T04:56:51.846525Z","published":"2023-03-16T15:15:11.107Z","related":["CGA-4f39-fxvg-gm2g"],"references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20230413-0007/"},{"type":"FIX","url":"https://github.com/request/request/issues/3442"},{"type":"FIX","url":"https://github.com/request/request/pull/3444"},{"type":"FIX","url":"https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/request/request","events":[{"introduced":"0"},{"last_affected":"8162961dfdb73dc35a5a4bfeefb858c2ed2ccbb7"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.88.1"}]}}],"versions":["v1.2.0","v2.17.0","v2.18.0","v2.18.1","v2.19.0","v2.19.1","v2.20.0","v2.20.1","v2.21.0","v2.21.1","v2.22.0","v2.22.1","v2.23.0","v2.23.1","v2.24.0","v2.24.1","v2.25.0","v2.25.1","v2.26.0","v2.26.1","v2.27.0","v2.27.1","v2.28.0","v2.28.1","v2.29.0","v2.29.1","v2.30.0","v2.30.1","v2.31.0","v2.31.1","v2.32.0","v2.32.1","v2.33.0","v2.33.1","v2.34.0","v2.34.1","v2.35.0","v2.35.1","v2.36.0","v2.36.1","v2.37.0","v2.37.1","v2.38.0","v2.38.1","v2.39.0","v2.39.1","v2.40.0","v2.40.1","v2.41.0","v2.41.1","v2.42.0","v2.42.1","v2.43.0","v2.43.1","v2.44.0","v2.44.1","v2.45.0","v2.45.1","v2.46.0","v2.46.1","v2.47.0","v2.47.1","v2.48.0","v2.48.1","v2.52.0","v2.52.1","v2.53.0","v2.53.1","v2.54.0","v2.54.1","v2.55.0","v2.55.1","v2.56.0","v2.56.1","v2.57.0","v2.57.1","v2.58.0","v2.58.1","v2.59.0","v2.59.1","v2.60.0","v2.60.1","v2.66.0","v2.66.1","v2.67.0","v2.67.1","v2.68.0","v2.68.1","v2.70.0","v2.70.1","v2.71.0","v2.71.1","v2.72.0","v2.72.1","v2.73.0","v2.73.1","v2.74.0","v2.74.1","v2.75.0","v2.75.1","v2.76.0","v2.76.1","v2.77.0","v2.77.1","v2.78.0","v2.78.1","v2.79.0","v2.79.1","v2.80.0","v2.80.1","v2.82.0","v2.82.1","v2.83.0","v2.83.1","v2.84.0","v2.84.1","v2.85.0","v2.85.1","v2.86.0","v2.86.1","v2.87.0","v2.87.1","v2.88.0","v2.88.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28155.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}