request
257 known vulnerabilities · 15 critical · 27 high
n8n: Credential exfiltration via Allowed HTTP Request Domains Bypass
HAX open-apis: Credential Theft via Server-Side Request Forgery (SSRF) in open-apis
NodeVM observability builtins leak host process and HTTP request data
HAX CMS: Denial of Service using Malicious Import Request
NASA Open MCT Cross Site Request Forgery (CSRF) vulnerability
Markdownify MCP Server allows Server-Side Request Forgery (SSRF) via the Markdownify.get() function
@fastify/oauth2 vulnerable to Cross Site Request Forgery due to reused Oauth2 state
steal vulnerable to Prototype Pollution via requestedVersion variable
Malicious code in @aia-digital/request-module (npm)
undici before v5.8.0 vulnerable to CRLF injection in request headers
Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding
Backstage Scaffolder plugin vulnerable to Server-Side Request Forgery
OpenClaw is Missing Webhook Authentication in Telnyx Provider Allows Unauthenticated Requests
ws affected by a DoS when handling a request with many HTTP headers
OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass
Websites were able to send any requests to the development server and read the response in vite
Duplicate Advisory: OpenClaw: Gateway Canvas local-direct requests bypass Canvas HTTP and WebSocket authentication
Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands
llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding
Dark Reader gives users the ability to request style sheets from local web servers
Hono allows bypass of CSRF Middleware by a request without Content-Type header.
Flowise has Authorization Bypass via Spoofed x-request-from Header
HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability
Http request which redirect to another hostname do not strip authorization header in @actions/http-client
Server-Side Request Forgery and Inclusion of Functionality from Untrusted Control Sphere in jsreport
Nu Html Checker (vnu) contains a Server-Side Request Forgery (SSRF) vulnerability
Multer vulnerable to Denial of Service via unhandled exception from malformed request
Better Auth affected by external request basePath modification DoS
Nuxt OG Image vulnerable to Server-Side Request Forgery via user-controlled parameters
Duplicate Advisory: OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects
Directus vulnerable to Server-Side Request Forgery On File Import
Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url
Malicious code in request-js-validator (npm)
Malicious code in requestz-promises (npm)
Cube Core is vulnerable to Denial of Service (DoS) via crafted request
LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection
Cache variables with the operations when transforms exist on the root level even if variables change in the further requests with the same operation
OpenClaw's hooks count non-POST requests toward auth lockout
Malicious code in loglongakamairequest (npm)
RedwoodSDK has a CSRF vulnerability in server function dispatch via GET requests
Parse Server: MFA recovery code single-use bypass via concurrent requests
@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
Malicious code in com.unity.modules.unitywebrequesttexture (npm)
Vite has an `server.fs.deny` bypass with an invalid `request-target`
Malicious code in com.unity.modules.unitywebrequest (npm)
Malicious code in com.unity.modules.unitywebrequestassetbundle (npm)
Malicious code in puppeteerrequestinterceptor (npm)
OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints
modern-async's `forEachSeries` and `forEachLimit` functions do not limit the number of requests
Malicious code in karma-jasmine-i-request (npm)
SvelteKit framework has Insufficient CSRF protection for CORS requests
OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write`
Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
Budibase Unrestricted Server-Side Request Forgery (SSRF) via REST Datasource Query Preview
Apache Thrift vulnerable to Path Traversal, HTTP Request/Response Splitting, Uncontrolled Resource Consumption
React Router has CSRF issue in Action/Server Action Request Processing
Duplicate Advisory: OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion
Portkey.ai Gateway: Server-Side Request Forgery (SSRF) in Custom Host
Malicious code in request-ip-validator (npm)
Flowise: Unauthenticated Information Disclosure of OAuth Secrets (Cleartext) via GET Request
Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format
Duplicate Advisory: OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation
n8n Vulnerable to Unauthenticated File Access via Improper Webhook Request Handling
Malicious code in discord-json-requests (npm)
evershop allows unauthenticated attackers to force server to initiate HTTP request via "GET /images" API
hemmelig allows SSRF Filter bypass via Secret Request functionality
llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fields
http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed
OpenClaw: Sandboxed /acp spawn requests could initialize host ACP sessions
srvx is vulnerable to middleware bypass via absolute URI in request line
xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection
Ghost vulnerable to Server Side Request Forgery (SSRF) via oEmbed Bookmark
@builder.io/qwik-city Cross-Site Request Forgery vulnerability
Payload: Server-Side Request Forgery (SSRF) in External File URL Uploads
Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement
Malicious code in requests-async (npm)
NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins
n8n-MCP Logs Sensitive Request Data on Unauthorized /mcp Requests
Server side request forgery in SwaggerUI
Vite's `server.fs.deny` did not deny requests for patterns with directories.
Malicious code in @cloudplatform-single-spa/mlspace-access-request (npm)
Formio improperly authorized permission elevation through specially crafted request path
n8n: HTTP Request Node Pagination Prototype Pollution to RCE
OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects
Parse Server has a password reset token single-use bypass via concurrent requests
TanStack Start - Server Core: Inbound server-function request deserialization could invoke a sibling client-referenced server function
Claude Code has a Domain Validation Bypass which Allows Automatic Requests to Attacker-Controlled Domains
@node-saml/node-saml's validatePostRequestAsync does not include checkTimestampsValidityError
OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation
OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard
uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF)
Malicious code in bird-clean-sky-request (npm)
@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
Malicious code in font-request (npm)
Clerk-js vulnerable to bypass of OAuth authentication flow by manipulating request at OTP verification stage
fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections
Malicious code in dependabot-pull-request-action (npm)
Fetch MCP Server has a Server-Side Request Forgery (SSRF) vulnerability
Malicious code in magic-umi-request (npm)
esbuild enables any website to send any requests to the development server and read the response
ERC7984ERC20Wrapper: once a wrapper is filled, subsequent wrap requests do not revert and result in loss of funds.
FUXA: Unauthenticated SSRF via Socket.IO DEVICE_WEBAPI_REQUEST and DEVICE_PROPERTY with response reading
NocoDB has Blind SSRF via Unvalidated HEAD Request in uploadViaURL Functionality
Apollo Server: Browser bug allows for bypass of XS-Search (read-only Cross-Site Request Forgery) prevention
Duplicate Advisory: ssrfcheck has Incomplete IP Address Deny List that leads to Server-Side Request Forgery Vulnerability
Malicious code in redis-request-parser (npm)
OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests
ssrfcheck Vulnerable to Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data
Astro has memory exhaustion DoS due to missing request body size limit in Server Actions
OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion
Malicious code in synfc-wrequest (npm)
Duplicate Advisory: OpenClaw: Pairing pending-request caps were enforced per channel instead of per account
@evomap/evolver has an unbounded request body in proxy /asset/submit that causes persistent disk-exhaustion DoS
Malicious code in smart-request-buffers (npm)
Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades
lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability
Malicious code in com.unity.modules.unitywebrequestwww (npm)
Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking
Multer vulnerable to Denial of Service from maliciously crafted requests
@nx/azure-cache Vulnerable to Build Cache Poisoning via Untrusted Pull Requests
`undici.request` vulnerable to SSRF using absolute URL on `pathname`
Flowise affected by Server-Side Request Forgery (SSRF) in HTTP Node Leading to Internal Network Access
Malicious code in requestlyx (npm)
TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update
Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components
Malicious code in affirm-requests (npm)
Malicious code in request-easy-validator (npm)
n8n-MCP: Sensitive MCP tool-call arguments logged on authenticated requests in HTTP mode
OpenClaw has pre-auth webhook body parsing that can enable unauthenticated slow-request DoS
OpenClaw: `browser.request` still allows `POST /reset-profile` through the `operator.write` surface
OpenClaw: `browser.request` let `operator.write` persist admin-only browser profile changes
Incorrect handling of CORS preflight request headers in hapi
Malicious code in @hongfangze/http-request (npm)
Malicious code in request-draft-ui (npm)
OpenClaw: Gateway Canvas local-direct requests bypass Canvas HTTP and WebSocket authentication
Malicious code in @ltd2research/tldrequest (npm)
@angular/common: Weak 32-Bit Cache Key Hashing in `HttpTransferCache` Leading to Cross-Request Data Leakage and State Poisoning
React Router: Potential CSRF via PUT/PATCH/DELETE document requests
Malicious code in com.unity.modules.unitywebrequestaudio (npm)
@angular/common: Information Leak via Default Caching of Credentialed Requests in HttpTransferCache
Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline
Malicious code in prerequests-xcode (npm)
Malicious code in electron-request (npm)
Malicious code in request-progres (npm)
Malicious code in discord.js-request (npm)
Malicious code in segmentrequestmanager (npm)
Electron: HTTP Response Header Injection in custom protocol handlers and webRequest
Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist
Malicious code in @specials/request-tinkoff (npm)
NocoDB: Server-Side Request Forgery via Database Connection Host
OpenClaw: Pairing pending-request caps were enforced per channel instead of per account
Malicious code in request-logger-canary (npm)
Malicious code in request-external-access (npm)
OpenClaw: diffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled
Malicious code in requests-promises (npm)
When setting EntityOptions.apiPrefilter to a function, the filter is not applied to API requests for a resource by Id
MCP-Framework: Unbounded memory allocation in readRequestBody allows denial of service via HTTP transport
Angular SSR: Global Platform Injector Race Condition Leads to Cross-Request Data Leakage
OpenClaw: iOS A2UI bridge trusted generic local-network pages for agent.request dispatch
Hono: bodyLimit() can be bypassed for chunked / unknown-length requests
Azure MCP Server has Server-Side Request Forgery issue that allows authorized attacker to elevate privileges over a network
Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning
Cube Core is vulnerable to privilege escalation via a specially crafted request
Angular SSR has Open Redirect and Request Steering via Encoded X-Forwarded-Prefix
Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking
Malicious code in abstract-http-request (npm)
BigSweetPotatoStudio HyperChat has a Server-Side Request Forgery issue
Malicious code in graphql-request-dom (npm)
Prometheus exporter process crash via malformed HTTP request
NextAuth.js before 4.10.3 and 3.29.10 sending verification requests (magic link) to unwanted emails
Duplicate Advisory: OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests
hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest
n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant headers are absent or incomplete
Parse Server has an MFA single-use token bypass via concurrent authData login requests
launch-editor vulnerable to command injection via the crafted request on Windows
Malicious code in norequest-akash (npm)
Malicious code in ing-feat-payment-request (npm)
Malicious code in simplerequestnode (npm)
Malicious code in express-xmlrequest (npm)
@grpc/grpc-js: A malformed request can cause a server crash
Malicious code in mmolecule-httprequester (npm)
Malicious code in ps-request-ws (npm)
@angular/service-worker: Request Credential & Cache Policy Stripping
NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL
NocoDB: Server-Side Request Forgery via Base Migration URL
NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint
Malicious code in plywood-clickhouse-requester (npm)
Electron: Incorrect origin passed to permission request handler for iframe requests
Malicious code in @thrift-api/request (npm)
Malicious code in requests-middleware (npm)
http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody`
a11y-mcp: Server-Side Request Forgery (SSRF) vulnerability in A11yServer function
Signal K Server: Server-Side Request Forgery via Remote Connection Endpoints
parse-server crashes when receiving file download request with invalid byte range
undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse
parse-server: Server option routeAllowList is bypassable through batch sub-requests
Network-AI: CVE-2026-46701 fix incomplete — empty default secret still authorizes all requests
Uni-CLI: Legacy HTTP MCP transport accepted browser-originated localhost requests
Kozou: Unauthenticated MCP HTTP server and bundled dev-stack hardening (DNS-rebinding, request-body limits, read-only reads, default network exposure)
undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent
Malicious code in express-request-ip (npm)
Malicious code in @clausehq/flows-step-httprequest (npm)
Malicious code in request-performance (npm)
Malicious code in request-tracking-sqlite (npm)