You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Overview request is a simplified http request client. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to insufficient checks in the lib/redirect.js file by allowing insecure redirects in the default configuration, via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).
NOTE: This package has been deprecated, so a fix is not expected. See request/request#3142.
I understand the switch away from using request is queued up for V2 but given this vulnerability can it be moved forward?
The text was updated successfully, but these errors were encountered:
Snyk has identified an issue with the request module being used by jsforce.
https://security.snyk.io/vuln/SNYK-JS-REQUEST-3361831
Overview
request is a simplified http request client. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to insufficient checks in the lib/redirect.js file by allowing insecure redirects in the default configuration, via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).
NOTE: This package has been deprecated, so a fix is not expected. See request/request#3142.
I understand the switch away from using request is queued up for V2 but given this vulnerability can it be moved forward?
The text was updated successfully, but these errors were encountered: