Description
An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
Recommendation
Update the axios package to the latest compatible version. Followings are version details:
Affected version(s): **>= 0.8.1, < 0.28.0 >= 1.0.0, < 1.6.0** Patched version(s): **0.28.0 1.6.0**
References
- GHSA-wf5p-g6vw-rhxx
- security.snyk.io
- security.netapp.com
- CVE-2023-45857
- CWE-352
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- NASA Open MCT Cross Site Request Forgery (CSRF) vulnerability - CVE-2023-45884
- @fastify/oauth2 vulnerable to Cross Site Request Forgery due to reused Oauth2 state - CVE-2023-31999
- SvelteKit vulnerable to Cross-Site Request Forgery - CVE-2023-29003
- Vega has Cross-site Scripting vulnerability in `lassoAppend` function (GHSA-w5m3-xh75-mp55) - CVE-2023-26487
- Tags:
- npm
- axios
Anything's wrong? Let us know Last updated on June 21, 2024