request
208 known vulnerabilities · 15 critical · 27 high
fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections
a11y-mcp: Server-Side Request Forgery (SSRF) vulnerability in A11yServer function
NASA Open MCT Cross Site Request Forgery (CSRF) vulnerability
Markdownify MCP Server allows Server-Side Request Forgery (SSRF) via the Markdownify.get() function
@fastify/oauth2 vulnerable to Cross Site Request Forgery due to reused Oauth2 state
Flowise: Unauthenticated Information Disclosure of OAuth Secrets (Cleartext) via GET Request
Electron: HTTP Response Header Injection in custom protocol handlers and webRequest
steal vulnerable to Prototype Pollution via requestedVersion variable
undici before v5.8.0 vulnerable to CRLF injection in request headers
Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding
Backstage Scaffolder plugin vulnerable to Server-Side Request Forgery
OpenClaw is Missing Webhook Authentication in Telnyx Provider Allows Unauthenticated Requests
ws affected by a DoS when handling a request with many HTTP headers
OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass
Websites were able to send any requests to the development server and read the response in vite
Duplicate Advisory: OpenClaw: Gateway Canvas local-direct requests bypass Canvas HTTP and WebSocket authentication
Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands
llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding
Dark Reader gives users the ability to request style sheets from local web servers
Hono allows bypass of CSRF Middleware by a request without Content-Type header.
Flowise has Authorization Bypass via Spoofed x-request-from Header
HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability
Http request which redirect to another hostname do not strip authorization header in @actions/http-client
@builder.io/qwik-city Cross-Site Request Forgery vulnerability
Server-Side Request Forgery and Inclusion of Functionality from Untrusted Control Sphere in jsreport
Nu Html Checker (vnu) contains a Server-Side Request Forgery (SSRF) vulnerability
Multer vulnerable to Denial of Service via unhandled exception from malformed request
Better Auth affected by external request basePath modification DoS
Nuxt OG Image vulnerable to Server-Side Request Forgery via user-controlled parameters
Duplicate Advisory: OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects
Directus vulnerable to Server-Side Request Forgery On File Import
Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url
Malicious code in requestz-promises (npm)
Vite's `server.fs.deny` did not deny requests for patterns with directories.
Cube Core is vulnerable to Denial of Service (DoS) via crafted request
LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection
Cache variables with the operations when transforms exist on the root level even if variables change in the further requests with the same operation
OpenClaw's hooks count non-POST requests toward auth lockout
Malicious code in loglongakamairequest (npm)
RedwoodSDK has a CSRF vulnerability in server function dispatch via GET requests
Parse Server: MFA recovery code single-use bypass via concurrent requests
@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
Malicious code in com.unity.modules.unitywebrequesttexture (npm)
MCP-Framework: Unbounded memory allocation in readRequestBody allows denial of service via HTTP transport
Vite has an `server.fs.deny` bypass with an invalid `request-target`
Duplicate Advisory: OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation
Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter
Malicious code in com.unity.modules.unitywebrequest (npm)
Malicious code in com.unity.modules.unitywebrequestassetbundle (npm)
Malicious code in puppeteerrequestinterceptor (npm)
OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints
modern-async's `forEachSeries` and `forEachLimit` functions do not limit the number of requests
Malicious code in karma-jasmine-i-request (npm)
Budibase Unrestricted Server-Side Request Forgery (SSRF) via REST Datasource Query Preview
SvelteKit framework has Insufficient CSRF protection for CORS requests
OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write`
Apollo Server: Browser bug allows for bypass of XS-Search (read-only Cross-Site Request Forgery) prevention
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
React Router has CSRF issue in Action/Server Action Request Processing
Duplicate Advisory: OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion
Portkey.ai Gateway: Server-Side Request Forgery (SSRF) in Custom Host
Malicious code in request-ip-validator (npm)
Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format
Malicious code in express-request-ip (npm)
n8n Vulnerable to Unauthenticated File Access via Improper Webhook Request Handling
Malicious code in discord-json-requests (npm)
evershop allows unauthenticated attackers to force server to initiate HTTP request via "GET /images" API
hemmelig allows SSRF Filter bypass via Secret Request functionality
llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fields
Malicious code in @clausehq/flows-step-httprequest (npm)
http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed
OpenClaw: Sandboxed /acp spawn requests could initialize host ACP sessions
srvx is vulnerable to middleware bypass via absolute URI in request line
xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection
Ghost vulnerable to Server Side Request Forgery (SSRF) via oEmbed Bookmark
Payload: Server-Side Request Forgery (SSRF) in External File URL Uploads
parse-server crashes when receiving file download request with invalid byte range
Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement
Malicious code in requests-async (npm)
NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins
n8n-MCP Logs Sensitive Request Data on Unauthorized /mcp Requests
Server side request forgery in SwaggerUI
Formio improperly authorized permission elevation through specially crafted request path
OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects
Parse Server has a password reset token single-use bypass via concurrent requests
Electron: Incorrect origin passed to permission request handler for iframe requests
Claude Code has a Domain Validation Bypass which Allows Automatic Requests to Attacker-Controlled Domains
@node-saml/node-saml's validatePostRequestAsync does not include checkTimestampsValidityError
Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline
OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation
OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard
uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF)
Malicious code in bird-clean-sky-request (npm)
@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
Malicious code in font-request (npm)
NocoDB has Blind SSRF via Unvalidated HEAD Request in uploadViaURL Functionality
Clerk-js vulnerable to bypass of OAuth authentication flow by manipulating request at OTP verification stage
Malicious code in discord.js-request (npm)
Malicious code in @thrift-api/request (npm)
esbuild enables any website to send any requests to the development server and read the response
Malicious code in dependabot-pull-request-action (npm)
Fetch MCP Server has a Server-Side Request Forgery (SSRF) vulnerability
Malicious code in magic-umi-request (npm)
Azure MCP Server has Server-Side Request Forgery issue that allows authorized attacker to elevate privileges over a network
ERC7984ERC20Wrapper: once a wrapper is filled, subsequent wrap requests do not revert and result in loss of funds.
Malicious code in redis-request-parser (npm)
Astro has memory exhaustion DoS due to missing request body size limit in Server Actions
OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion
Malicious code in synfc-wrequest (npm)
Malicious code in smart-request-buffers (npm)
lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability
Malicious code in com.unity.modules.unitywebrequestwww (npm)
Multer vulnerable to Denial of Service from maliciously crafted requests
@nx/azure-cache Vulnerable to Build Cache Poisoning via Untrusted Pull Requests
Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist
TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update
`undici.request` vulnerable to SSRF using absolute URL on `pathname`
Flowise affected by Server-Side Request Forgery (SSRF) in HTTP Node Leading to Internal Network Access
Malicious code in requestlyx (npm)
Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components
Malicious code in affirm-requests (npm)
Malicious code in request-easy-validator (npm)
NextAuth.js before 4.10.3 and 3.29.10 sending verification requests (magic link) to unwanted emails
OpenClaw has pre-auth webhook body parsing that can enable unauthenticated slow-request DoS
OpenClaw: `browser.request` still allows `POST /reset-profile` through the `operator.write` surface
OpenClaw: `browser.request` let `operator.write` persist admin-only browser profile changes
Incorrect handling of CORS preflight request headers in hapi
OpenClaw: Pairing pending-request caps were enforced per channel instead of per account
Malicious code in plywood-clickhouse-requester (npm)
Malicious code in @hongfangze/http-request (npm)
Malicious code in request-draft-ui (npm)
OpenClaw: Gateway Canvas local-direct requests bypass Canvas HTTP and WebSocket authentication
Malicious code in @ltd2research/tldrequest (npm)
Parse Server has an MFA single-use token bypass via concurrent authData login requests
Malicious code in com.unity.modules.unitywebrequestaudio (npm)
Malicious code in prerequests-xcode (npm)
Malicious code in ps-request-ws (npm)
Malicious code in electron-request (npm)
Malicious code in request-progres (npm)
Malicious code in segmentrequestmanager (npm)
Malicious code in @specials/request-tinkoff (npm)
Malicious code in norequest-akash (npm)
Malicious code in request-external-access (npm)
OpenClaw: diffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled
Malicious code in requests-promises (npm)
Malicious code in @aia-digital/request-module (npm)
When setting EntityOptions.apiPrefilter to a function, the filter is not applied to API requests for a resource by Id
Malicious code in mmolecule-httprequester (npm)
OpenClaw: iOS A2UI bridge trusted generic local-network pages for agent.request dispatch
Angular SSR: Global Platform Injector Race Condition Leads to Cross-Request Data Leakage
Cube Core is vulnerable to privilege escalation via a specially crafted request
Malicious code in abstract-http-request (npm)
Malicious code in graphql-request-dom (npm)
Malicious code in request-js-validator (npm)
Malicious code in ing-feat-payment-request (npm)
Malicious code in simplerequestnode (npm)
Malicious code in express-xmlrequest (npm)