opentok-node icon indicating copy to clipboard operation
opentok-node copied to clipboard
verified publisher icon opentok

request-2.88.2.tgz: 3 vulnerabilities (highest severity is: 8.7) unreachable

Open mend-for-github-com[bot] opened this issue 3 years ago • 4 comments

Vulnerable Library - request-2.88.2.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz

Path to dependency file: /sample/SipInterconnect/package.json

Path to vulnerable library: /sample/SipInterconnect/node_modules/request/package.json

Found in HEAD commit: a7f0948738582b190c10062a408e10b28b6ec75d

Vulnerabilities

Vulnerability Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (request version) Remediation Possible** Reachability
CVE-2025-7783 High 8.7 Not Defined 0.1% form-data-2.3.3.tgz Transitive N/A*

Unreachable
CVE-2023-26136 Medium 6.5 Proof of concept 6.8999996% tough-cookie-2.5.0.tgz Transitive N/A*

Unreachable
CVE-2023-28155 Medium 6.1 Not Defined 0.5% request-2.88.2.tgz Direct @cypress/request - 3.0.0

Unreachable

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-7783

Vulnerable Library - form-data-2.3.3.tgz

A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.

Library home page: https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz

Path to dependency file: /sample/SipInterconnect/package.json

Path to vulnerable library: /sample/SipInterconnect/node_modules/form-data/package.json

Dependency Hierarchy:

  • request-2.88.2.tgz (Root Library)
    • :x: form-data-2.3.3.tgz (Vulnerable Library)

Found in HEAD commit: a7f0948738582b190c10062a408e10b28b6ec75d

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3. Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-07-18

URL: CVE-2025-7783

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (8.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/form-data/form-data/security/advisories/GHSA-fjxv-7rqg-78g4

Release Date: 2025-07-18

Fix Resolution: form-data - 2.5.4,form-data - 3.0.4,https://github.com/form-data/form-data.git - v2.5.4,form-data - 4.0.4,https://github.com/form-data/form-data.git - v4.0.4,https://github.com/form-data/form-data.git - v3.0.4

CVE-2023-26136

Vulnerable Library - tough-cookie-2.5.0.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz

Path to dependency file: /sample/SipInterconnect/package.json

Path to vulnerable library: /sample/SipInterconnect/node_modules/tough-cookie/package.json

Dependency Hierarchy:

  • request-2.88.2.tgz (Root Library)
    • :x: tough-cookie-2.5.0.tgz (Vulnerable Library)

Found in HEAD commit: a7f0948738582b190c10062a408e10b28b6ec75d

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

Threat Assessment

Exploit Maturity: Proof of concept

EPSS: 6.8999996%

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution: tough-cookie - 4.1.3

CVE-2023-28155

Vulnerable Library - request-2.88.2.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz

Path to dependency file: /sample/SipInterconnect/package.json

Path to vulnerable library: /sample/SipInterconnect/node_modules/request/package.json

Dependency Hierarchy:

  • :x: request-2.88.2.tgz (Vulnerable Library)

Found in HEAD commit: a7f0948738582b190c10062a408e10b28b6ec75d

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.5%

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-p8p7-x288-28g6

Release Date: 2023-03-16

Fix Resolution: @cypress/request - 3.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

mend-for-github-com[bot] avatar Jun 06 '22 09:06 mend-for-github-com[bot]

This is a good replacement for request: https://github.com/tomas/needle

cpettet avatar Jan 26 '23 22:01 cpettet

Any plans to address this?

relm923 avatar Sep 22 '23 15:09 relm923

Hi @relm923 , There's an open PR for it: https://github.com/opentok/opentok-node/pull/311

cpettet avatar Sep 22 '23 16:09 cpettet