The got npm package is safe to use in production as long as you are on a patched version (11.8.5+ or 12.1.0+) and you constrain where it is allowed to send requests. got is a mature, promise-based HTTP client for Node.js, but like any library that fetches URLs on your behalf, the npm got dependency deserves a look at its one notable CVE and its SSRF exposure before you trust it with user-supplied URLs.
got is downloaded tens of millions of times a week and sits underneath a large chunk of the Node ecosystem, often as a transitive dependency you never chose directly. That reach is exactly why a single redirect bug in it matters.
The one CVE worth knowing: CVE-2022-33987
The most cited security issue in got is CVE-2022-33987, an open-redirect flaw. In affected versions, got did not verify the target of a redirect and would follow a response that redirected the request to a UNIX socket. That behavior can be abused to reach resources the caller never intended to touch.
The fix is straightforward: the flaw was patched in got 12.1.0, and backported to 11.8.5 for the 11.x line. If your lockfile shows anything older, upgrade. Because got frequently arrives transitively, run:
npm ls got
to see every version resolved across your tree, not just the one you declared.
got is ESM-only from v12 onward
A practical gotcha that trips up upgrades: got version 12 and later is a pure ES module. If your project still uses CommonJS require(), require('got') will throw. You either move to ESM import, use a dynamic import(), or stay on the 11.x line (patched at 11.8.5). This is a maintenance decision, not a vulnerability, but teams sometimes pin to a vulnerable 11.x release specifically to avoid the ESM migration, which is the wrong trade. Upgrade to 11.8.5 at minimum.
SSRF: the risk that isn't a CVE
The larger, ongoing risk with any HTTP client is server-side request forgery. If your code passes a user-controlled URL straight into got, an attacker can point it at internal services, cloud metadata endpoints, or localhost admin ports:
// Dangerous: url comes from the request body
const res = await got(req.body.targetUrl);
No version of got protects you from this by itself, because the library is doing exactly what you asked. The defense is an allowlist and disabled redirects for untrusted input:
import got from 'got';
const client = got.extend({
followRedirect: false,
timeout: { request: 5000 },
retry: { limit: 1 },
});
function isAllowed(url) {
const u = new URL(url);
return u.protocol === 'https:' && ALLOWED_HOSTS.has(u.hostname);
}
if (!isAllowed(userUrl)) throw new Error('host not allowed');
const res = await client(userUrl);
Turning off followRedirect for untrusted destinations directly mitigates the class of problem CVE-2022-33987 lived in, because a redirect can move a request from an allowed host to a forbidden one after your check passed.
Set sane timeouts and retry limits
got will retry and wait on your behalf, and the defaults are generous. An outbound call with no timeout is a slow-loris risk against your own service: a hostile or dead upstream can tie up your event loop and connections. Always set an explicit timeout and cap retry.limit, as in the snippet above. This is defensive hygiene rather than a CVE fix, but it is the difference between a graceful failure and a cascading outage.
Keeping got patched over time
Because got is so often transitive, the version you audited today can regress the next time you update an unrelated dependency. Two habits keep it honest:
- Run
npm audit(or an equivalent scanner) in CI so a vulnerablegotfails the build. - Watch for the ESM/CJS boundary during upgrades so you do not get stuck on an old, vulnerable release for compatibility reasons.
An SCA tool can flag a downgraded or vulnerable got even when it is buried deep in the dependency graph, which is where transitive HTTP clients usually hide. If you are weighing scanner options, our comparison with Snyk covers how transitive detection differs between tools.
FAQ
Is got npm safe to use in 2025?
Yes, on a patched version. Use got 12.1.0 or later, or 11.8.5 if you need CommonJS support. Both fix CVE-2022-33987. The library is actively maintained and widely trusted.
What versions of got are affected by CVE-2022-33987?
Versions before 11.8.5 and versions 12.0.0 through 12.0.x are affected by the redirect-to-UNIX-socket open redirect. Upgrading to 11.8.5 or 12.1.0 resolves it.
Why does require('got') throw an error?
got v12+ is a pure ES module and cannot be loaded with CommonJS require(). Switch your code to import, use a dynamic import(), or stay on the patched 11.8.5 release if you must keep CommonJS.
Does got protect against SSRF automatically?
No. got faithfully requests whatever URL you give it. Preventing SSRF is your responsibility: validate and allowlist hostnames, disable redirects for untrusted input, and set strict timeouts.