The request package (upstream: request/request, now archived) follows HTTP redirects and resolves URLs without validating whether the resolved host points to an internal or private IP address. This allows Server-Side Request Forgery (SSRF) attacks where an attacker can trick a server into making requests to internal infrastructure, including:
- Loopback addresses (127.0.0.0/8, ::1)
- Private networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- Link-local and cloud metadata endpoints (169.254.0.0/16, including 169.254.169.254)
- IPv6 unique local (fc00::/7) and link-local (fe80::/10) addresses
Version 2.88.2 adds SSRF protection that:
- Validates the target hostname/IP before every outgoing HTTP request (both initial requests and redirect targets).
- Performs DNS resolution on hostnames and checks whether the resolved IP falls within private/internal ranges.
- Blocks the request with a descriptive error if a private IP is detected.
If your application intentionally makes requests to private/internal IPs, you can disable the SSRF protection per-request:
const request = require('@brickhouse-tech/request')
request({
uri: 'http://internal-service.local/api',
allowPrivateIPs: true
}, function (err, res, body) {
// ...
})Please report security issues to security@brickhouse.tech.
Brickhouse Tech provides long-term security maintenance for widely-used, abandoned npm packages.