Request package vulnerable to SSRF #1312
Comments
|
We can move to postman-request it's a fork of the original request package and being actively maintained |
|
closing this as dup of #999 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Snyk has identified an issue with the request module being used by jsforce.
https://security.snyk.io/vuln/SNYK-JS-REQUEST-3361831
Overview
request is a simplified http request client. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to insufficient checks in the lib/redirect.js file by allowing insecure redirects in the default configuration, via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).
NOTE: This package has been deprecated, so a fix is not expected. See request/request#3142.
I understand the switch away from using request is queued up for V2 but given this vulnerability can it be moved forward?
The text was updated successfully, but these errors were encountered: