The request package is abandoned and has security issues

[justinhoward]

What is the problem?

The request package has been unmaintained for 3 years.

And has an active CVE related to it CVE-2023-28155

The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

GitHub Dependabot also reports this same vulnerability.

What should we do about it?

Because request is no longer maintained, it unfortunately needs to be replaced. Here is a GitHub issue that contains a list of some options.

[adohertyTS]

@justinhoward Thanks for bringing this to our attention. We will review this internally.

[justinhoward]

@adohertyTS do you have any idea on the timeline for a fix?

There are now two more CVEs for transative dependencies of request:

https://nvd.nist.gov/vuln/detail/CVE-2023-26136
https://nvd.nist.gov/vuln/detail/CVE-2022-24999

[adohertyTS]

Hi @justinhoward, with the most recent release (3.0.0), we are no longer using the request package. See https://github.com/TeleSign/node_telesign/releases/tag/v3.0.0.