CVE-2023-28155 Overview
CVE-2023-28155 is a Server-Side Request Forgery (SSRF) mitigation bypass vulnerability affecting the Request package through version 2.88.1 for Node.js. The vulnerability allows attackers to bypass SSRF protections by leveraging an attacker-controlled server that performs cross-protocol redirects between HTTP and HTTPS. This flaw enables malicious actors to circumvent security controls designed to prevent internal network access or unauthorized resource retrieval.
It is important to note that this vulnerability only affects products that are no longer supported by the maintainer, as the Request package has been deprecated since February 2020.
Critical Impact
Attackers can bypass SSRF mitigations to access internal resources, potentially leading to unauthorized data access, internal service enumeration, and further exploitation of internal systems.
Affected Products
- Request package for Node.js through version 2.88.1
- Applications and services using the deprecated Request npm package
- NetApp products as referenced in their security advisory
Discovery Timeline
- 2023-03-16 - CVE-2023-28155 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-28155
Vulnerability Analysis
The vulnerability exists in how the Request package handles cross-protocol redirects. When a Node.js application uses the Request library with SSRF mitigations in place (such as blocking requests to internal IP addresses or localhost), an attacker can bypass these protections by controlling a server that issues a redirect response switching protocols from HTTP to HTTPS or vice versa.
The SSRF mitigation logic in the Request package validates the initial request URL but fails to re-validate the target URL after a cross-protocol redirect occurs. This oversight allows attackers to chain requests through their controlled server to reach otherwise protected internal resources.
The CWE-918 (Server-Side Request Forgery) classification highlights that this vulnerability enables attackers to abuse the server's ability to make outbound requests, potentially accessing internal services that should not be reachable from external networks.
Root Cause
The root cause lies in insufficient validation of redirect targets when the protocol changes between HTTP and HTTPS. The Request package's redirect handling logic does not consistently re-apply SSRF protection checks after a cross-protocol redirect, creating a security gap that can be exploited to reach blocked destinations.
The deprecated status of the Request package compounds this issue, as no official patches are being developed by the maintainers, leaving applications dependent on community-driven fixes or migration to alternative libraries.
Attack Vector
The attack requires user interaction in the form of a web application or service making an HTTP request using the vulnerable Request library. The attacker sets up a malicious server that responds to initial requests with a redirect response (HTTP 301/302/307/308) that switches protocols.
The attack flow typically follows this pattern:
- Attacker identifies an application using the Request package with SSRF protections
- Attacker crafts a malicious URL pointing to their controlled server
- Application makes a request to the attacker's server
- Attacker's server responds with a cross-protocol redirect to an internal resource (e.g., redirecting from https://attacker.com to http://169.254.169.254)
- The Request library follows the redirect without re-validating SSRF restrictions
- Internal resource is accessed, and the response may be returned to the attacker
For technical details on the exploitation mechanism, refer to the Doyensec Advisory on SSRF.
Detection Methods for CVE-2023-28155
Indicators of Compromise
- Unusual outbound HTTP/HTTPS requests to external servers followed by requests to internal IP ranges
- Web application logs showing redirect chains that switch between HTTP and HTTPS protocols
- Network traffic patterns indicating requests to cloud metadata endpoints (e.g., 169.254.169.254) originating from application servers
- Application errors or responses containing internal service data that should not be externally accessible
Detection Strategies
- Implement network monitoring to detect cross-protocol redirect patterns in outbound web requests
- Configure web application firewalls (WAF) to flag requests with suspicious redirect behaviors
- Audit application dependencies using npm audit or similar tools to identify use of the deprecated Request package
- Monitor for requests to common SSRF targets such as cloud metadata services, internal IP ranges, and localhost
Monitoring Recommendations
- Enable detailed logging for all outbound HTTP requests made by Node.js applications
- Set up alerts for network connections to internal resources from application server processes
- Implement egress filtering and monitor for bypass attempts
- Regularly scan application codebases for usage of the deprecated request npm package
How to Mitigate CVE-2023-28155
Immediate Actions Required
- Inventory all applications using the Request npm package and prioritize migration to actively maintained alternatives
- Implement network-level SSRF protections that cannot be bypassed by application-level redirects
- Configure egress firewall rules to block application servers from accessing internal metadata services and sensitive internal resources
- Apply the community-provided patch if migration is not immediately feasible
Patch Information
The Request package has been deprecated since February 2020, and no official patches are being released by the maintainers. However, a community-submitted fix is available via GitHub Pull Request #3444. Organizations are strongly encouraged to migrate to actively maintained alternatives such as:
- node-fetch - Lightweight module bringing Fetch API to Node.js
- axios - Promise-based HTTP client with built-in request/response interceptors
- got - Human-friendly and powerful HTTP request library
For additional context, review the GitHub Issue #3442 discussing this vulnerability.
Workarounds
- Disable automatic redirect following in the Request library configuration and manually validate redirect targets before following them
- Implement a custom redirect handler that enforces SSRF restrictions on all redirect targets regardless of protocol changes
- Deploy network-level controls such as egress proxies that validate all outbound requests against SSRF blocklists
- Consider using a security-focused HTTP wrapper that provides robust SSRF protection out of the box
# Example: Disable automatic redirects in Request configuration
# In your Node.js application, configure requests to not follow redirects automatically:
# const request = require('request');
# request({ url: targetUrl, followRedirect: false }, callback);
# Then manually validate any redirect URLs before following them
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
