{"id":"CVE-2023-28155","details":"The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.","aliases":["GHSA-p8p7-x288-28g6"],"modified":"2026-05-15T04:06:39.538335795Z","published":"2023-03-16T00:00:00Z","related":["CGA-4f39-fxvg-gm2g"],"database_specific":{"cna_assigner":"mitre","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/28xxx/CVE-2023-28155.json"},"references":[{"type":"WEB","url":"https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/28xxx/CVE-2023-28155.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28155"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20230413-0007/"},{"type":"REPORT","url":"https://github.com/request/request/issues/3442"},{"type":"FIX","url":"https://github.com/request/request/pull/3444"}],"schema_version":"1.7.5"}