Bug 2389923 (CVE-2023-28155)

Summary: CVE-2023-28155 request: bypass of SSRF mitigations when following a cross-protocol redirect
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aarif, aazores, abarbaro, adkhan, amctagga, anjoseph, aoconnor, aprice, asoldano, bbaranow, bdettelb, bmaxwell, bniver, brian.stansberry, caswilli, cmah, darran.lofthouse, dfreiber, dhanak, dkreling, doconnor, dosoudil, drosa, drow, dsimansk, eaguilar, ebaron, eric.wittmann, fjuma, flucifre, gmalinko, gmeno, gotiwari, gryan, gzaronik, ibek, istudens, ivassile, iweiss, janstey, jburrell, jcantril, jchui, jgrulich, jhe, jhorak, jhuff, jkoehler, jolong, jprabhak, jrokos, kaycoth, kingland, ktsao, kverlaen, lchilton, lphiri, manissin, matzew, mbenjamin, mhackett, mnovotny, mosmerov, mpierce, msochure, msvehla, mvyas, nboldt, nipatil, nwallace, pantinor, pdelbell, pesilva, pjindal, pmackay, psrna, rkubis, rojacob, rstancel, rstepani, sausingh, sdawley, sfeifer, smaestri, sostapov, teagle, tom.jenkinson, tpopela, vereddy, vkumar, wtam
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2389926, 2389927, 2389928, 2389929, 2389930, 2389931    
Bug Blocks:    

Description OSIDB Bzimport 2025-08-20 21:33:13 UTC 
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.