New Research: Supply Chain Attack on Axios Pulls Malicious Dependency from npm.Details →
Socket
Book a DemoSign in
Socket
Book a DemoSign in

request-secure

Package Overview
Dependencies
Maintainers
1
Versions
2
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

request-secure

Simplified HTTP request client with security patches for SSRF and prototype pollution

latest
Source
npmnpm
Version
2.88.4
Version published
Weekly downloads
0
Maintainers
1
Weekly downloads
 
Created
Source

request-secure

A fork of the popular request library with security fixes for SSRF and prototype pollution vulnerabilities.

Background

The original request package has been deprecated, but it's still widely used. This fork addresses two significant security vulnerabilities:

  • Server-side Request Forgery (SSRF) - A medium severity vulnerability (SNYK-JS-REQUEST-3361831) that could allow attackers to make requests to internal resources.
  • Prototype Pollution - A medium severity vulnerability (SNYK-JS-TOUGHCOOKIE-5672873) in the tough-cookie dependency.

Installation

npm install request-secure

Usage

Use it exactly like the original request package:

const request = require('request-secure');

request('https://www.google.com', (error, response, body) => {
  if (error) console.error('Error:', error);
  console.log('Status code:', response.statusCode);
  console.log('Body:', body);
});

Security Enhancements

1. SSRF Protection

By default, this fork prevents requests to:

  • Private IP ranges (10.0.0.0/8, 192.168.0.0/16, etc.)
  • Localhost (127.0.0.1, localhost)
  • Link-local addresses (169.254.0.0/16)
  • Restricted protocols (only http: and https: are allowed by default)

Configuring SSRF Protection

You can disable SSRF protection for specific requests:

request({
  url: 'http://192.168.1.1',
  disableSSRFProtection: true
}, callback);

To customize SSRF protection globally:

const request = require('request-secure');
const ssrfProtection = require('request-secure/lib/ssrf-protection');

// Create custom middleware with your configuration
const customConfig = {
  allowPrivateIPs: true,                 // Allow private IPs (not recommended in production)
  allowLocalhostDomains: true,           // Allow localhost domains
  blockedHosts: ['evil.com', 'attacker.net'], // Block specific hosts
  allowedProtocols: ['http:', 'https:', 'ftp:'] // Allow additional protocols
};

// Apply custom configuration
request.defaults({
  ssrfConfig: customConfig
});

2. Fixed Prototype Pollution

We've updated tough-cookie to version 4.1.3, which fixes the prototype pollution vulnerability. A compatibility layer maintains backward compatibility with request's API.

Backward Compatibility

This fork strives to maintain 100% backward compatibility with the original request package. If you encounter any compatibility issues, please open an issue.

Contribution

Contributions are welcome! Please feel free to submit a Pull Request.

License

Apache-2.0 (same as the original request package)

Keywords

http
simple
util
utility
secure

FAQs

Package last updated on 19 May 2025

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

North Korea’s Contagious Interview Campaign Spreads Across 5 Ecosystems, Delivering Staged RAT Payloads

Research

/

Security News

North Korea’s Contagious Interview Campaign Spreads Across 5 Ecosystems, Delivering Staged RAT Payloads

Malicious packages published to npm, PyPI, Go Modules, crates.io, and Packagist impersonate developer tooling to fetch staged malware, steal credentials and wallets, and enable remote access.

By Kirill Boychenko  -  Apr 07, 2026