CVE-2023-28155

[khitrenovich]

Being a fork of the original request package, @cypress/request is vulnerable to CVE-2023-28155 (SSRF via insecure redirects). There is an issue and an open PR in the request repo, but the fix is unlikely to be merged since request is long abandoned. This fork is the second most popular fork, it would be great to have it patched.

[legobeat]

Ported over to in #28 (functionally equivalent to request#3444) and #30 (retains current non-safe defaults but exposes the same new option)

[MikeMcC399]

For @cypress/request@2.88.12 (currently the latest version)

npm audit on cypress@12.17.3 and earlier versions reports:

@cypress/request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install cypress@4.2.0, which is a breaking change
node_modules/@cypress/request
  cypress  >=4.3.0
  Depends on vulnerable versions of @cypress/request
  node_modules/cypress

Reference

• CVE-2023-28155

[MikeMcC399]

If / when this is resolved, then it would make sense to also update

https://github.com/cypress-io/cypress/blob/develop/cli/package.json#L23 currently showing

"@cypress/request": "^2.88.11",

because otherwise updating an installed instance of Cypress does not pull in the latest version of @cypress/request.

[nagash77]

Hi @MikeMcC399 we are working on that change at the moment. Hoping to have it ready to merge and deploy in the near future.

[MikeMcC399]

Hi Ben @nagash77

Thanks for the progress update! 👍🏻

[MikeMcC399]

• I see that PR feat: Add allowInsecureRedirect option #28 has now been merged 👍🏻 and @cypress/request@3.0.0 has been released.

[ST-DDT]

Here is the PR that adds the new release to cypress itself:

• breaking: Upgrade @cypress/request to 3.0.0 cypress#27495

[MikeMcC399]

@khitrenovich

• Could you please check? I believe that the merged PR feat: Add allowInsecureRedirect option #28 and the release of @cypress/request@3.0.0 resolves this issue and that therefore this issue could be closed.

[khitrenovich]

We stopped using @cypress/request since the issue was opened, so I won't be able to verify that. I hope one of the people who upvoted the issue (more than dozen as of today) could chime in and help.

[heloufir]

Hello @MikeMcC399
I can confirm that there is no vulnerability alert when I run npm audit fix after I changed the version of @cypress/request to 3.0.0 in my projet.

For my case I am using cypress to do e2e testing, and I was having the npm vulnerability alert, but after I added the below code to my package.json file, the alert is gone! thanks a lot to dev team:

Dependencies used in my project:

{
  "devDependencies": {
    "@cypress/schematic": "latest",
    "@cypress/xpath": "^2.0.3",
    "cypress": "latest",
    "@badeball/cypress-cucumber-preprocessor": "latest",
    "@bahmutov/cypress-esbuild-preprocessor": "latest",
  },
}

Cypress request override (forced to use the new version):

{
  "overrides": {
    "@cypress/request": "^3.0.0"
  }
}

[OleksiiKachan]

if you are using yarn then instead of overrides use resolutions

  "resolutions": {
    "@cypress/request": "^3.0.0"
  }

[MikeMcC399]

• PR [GHSA-p8p7-x288-28g6] Server-Side Request Forgery in Request github/advisory-database#2609 updates the GitHub Advisory GHSA-p8p7-x288-28g6 to mark this issue as being resolved by @cypress/request@3.0.0.

[nbouvrette]

This will be fixed on Cypress when cypress-io/cypress#27495 is merged.

[verheyenkoen]

This will be fixed on Cypress when cypress-io/cypress#27495 is merged.

Appears to be a breaking change according to #37 cypress-io/cypress#27495 (comment). Will have to wait for Cypress 13 to be fully fixed.

[MikeMcC399]

This issue is about the vulnerability in @cypress/request which was fixed in @cypress/request@3.0.0.

To confirm that no vulnerability is reported when using @cypress/request@3.0.0:

mkdir cy-request-test
cd cy-request-test
npm init -y
npm install @cypress/request
npm ls
npm audit

shows:

cy-request-test@1.0.0
└── @cypress/request@3.0.0

found 0 vulnerabilities

So from a formal point of view this issue could be closed. It may however be helpful to leave it open until the issue has been fixed in Cypress itself.

---

The vulnerability in Cypress 12.x was reported in

• issue Getting 2 moderate severity vulnerabilities  cypress#27535
  and is planned for resolution through
• PR breaking: Upgrade @cypress/request to 3.0.0 cypress#27495
  followed by
• PR breaking: v13.0.0 cypress#27040

[MikeMcC399]

Cypress 13.0.0 changelog for the version released today, Aug 29, 2023, states:

Dependency Updates:

• Upgraded @cypress/request from ^2.88.11 to ^3.0.0 to address the CVE-2023-28155 security vulnerability. Addresses #27535. Addressed in #27495.

There should be no further barriers to closing this issue.

[chrisbreiding]

Released in Cypress 13.0.0.