CVE-2023-28155

[khitrenovich]

Being a fork of the original request package, @cypress/request is vulnerable to CVE-2023-28155 (SSRF via insecure redirects). There is an issue and an open PR in the request repo, but the fix is unlikely to be merged since request is long abandoned. This fork is the second most popular fork, it would be great to have it patched.

[legobeat]

Ported over to in #28 (functionally equivalent to request#3444) and #30 (retains current non-safe defaults but exposes the same new option)

[MikeMcC399]

For @cypress/request@2.88.12 (currently the latest version)

npm audit on cypress@12.17.3 and earlier versions reports:

@cypress/request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install cypress@4.2.0, which is a breaking change
node_modules/@cypress/request
  cypress  >=4.3.0
  Depends on vulnerable versions of @cypress/request
  node_modules/cypress

Reference

• CVE-2023-28155

[MikeMcC399]

If / when this is resolved, then it would make sense to also update

https://github.com/cypress-io/cypress/blob/develop/cli/package.json#L23 currently showing

"@cypress/request": "^2.88.11",

because otherwise updating an installed instance of Cypress does not pull in the latest version of @cypress/request.

[nagash77]

Hi @MikeMcC399 we are working on that change at the moment. Hoping to have it ready to merge and deploy in the near future.

[MikeMcC399]

Hi Ben @nagash77

Thanks for the progress update! 👍🏻

[MikeMcC399]

• I see that PR feat: Add allowInsecureRedirect option #28 has now been merged 👍🏻 and @cypress/request@3.0.0 has been released.

[ST-DDT]

Here is the PR that adds the new release to cypress itself:

• breaking: Upgrade @cypress/request to 3.0.0 cypress#27495