Bug 2389923 (CVE-2023-28155) - CVE-2023-28155 request: bypass of SSRF mitigations when following a cross-protocol redirect
Summary: CVE-2023-28155 request: bypass of SSRF mitigations when following a cross-pro...
Keywords:
Status: NEW
Alias: CVE-2023-28155
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2389926 2389927 2389928 2389929 2389930 2389931
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-08-20 21:33 UTC by OSIDB Bzimport
Modified: 2025-09-17 16:56 UTC (History)
91 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-08-20 21:33:13 UTC 
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Note You need to log in before you can comment on or make changes to this bug.