CVE-2021-23664: 
JavaScript vulnerability analysis and mitigation

The package @isomorphic-git/cors-proxy before version 2.7.1 was found to be vulnerable to Server-side Request Forgery (SSRF). The vulnerability was discovered on October 15, 2021, and was assigned CVE-2021-23664. The vulnerability affects the middleware.js component due to missing sanitization and validation of the redirection action (Snyk).

The vulnerability exists in the middleware.js component where redirection actions are not properly sanitized and validated. The CVSS v3.1 base score is 8.6 (High), with the following metrics: Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: None, Scope: Changed, Confidentiality: High, Integrity: None, Availability: None (Snyk).

The vulnerability can lead to a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. The scope is changed, meaning the exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component (Snyk).

The vulnerability has been fixed in version 2.7.1 of @isomorphic-git/cors-proxy. Users should upgrade to version 2.7.1 or higher to address this security issue. The fix includes changes to prevent following redirects and modifying location headers in the response (GitHub Commit).