Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request - Server-Side Request Forgery (SSRF) #153

Open
Luen opened this issue Mar 5, 2024 · 1 comment
Open

Request - Server-Side Request Forgery (SSRF) #153

Luen opened this issue Mar 5, 2024 · 1 comment

Comments

@Luen
Copy link

Luen commented Mar 5, 2024

Snyk and npm audit are complaining about a security vulnerability with the node-strava-v3 package dependencies, the request package. This vulnerability has been catalogued by Snyk with the identifier SNYK-JS-REQUEST-3361831, highlighting a CWE-918: Server-Side Request Forgery (SSRF) issue.

Vulnerability Details

The request package, which node-strava-v3 depends on, is vulnerable to SSRF attacks due to insufficient validation of user-supplied URLs in its lib/redirect.js file. This flaw allows attackers to perform insecure redirects to different protocols (e.g., from HTTP to HTTPS or vice versa), potentially leading to unauthorized access to sensitive information or internal systems.

It shouldn't be an issue since this package only uses with the offical Strava API.

Affected Versions:

  • strava-v3@2.2.0 depends on request@2.88.2.

GitHub Issues:
@markstos
Copy link
Collaborator

markstos commented Mar 5, 2024

'request' is deprecated anyway so it would be good to replace or eliminate the dep.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@markstos @Luen