Snyk and npm audit are complaining about a security vulnerability with the node-strava-v3 package dependencies, the request package. This vulnerability has been catalogued by Snyk with the identifier SNYK-JS-REQUEST-3361831, highlighting a CWE-918: Server-Side Request Forgery (SSRF) issue.

Vulnerability Details

The request package, which node-strava-v3 depends on, is vulnerable to SSRF attacks due to insufficient validation of user-supplied URLs in its lib/redirect.js file. This flaw allows attackers to perform insecure redirects to different protocols (e.g., from HTTP to HTTPS or vice versa), potentially leading to unauthorized access to sensitive information or internal systems.

It shouldn't be an issue since this package only uses with the offical Strava API.

Affected Versions:

• [email protected] depends on [email protected].

GitHub Issues:

• request/request#3142