Description
An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
Recommendation
Update the axios package to the latest compatible version. Followings are version details:
Affected version(s): **>= 0.8.1, < 0.28.0 >= 1.0.0, < 1.6.0** Patched version(s): **0.28.0 1.6.0**
References
- GHSA-wf5p-g6vw-rhxx
- security.snyk.io
- security.netapp.com
- CVE-2023-45857
- CWE-352
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- Axios is vulnerable to DoS attack through lack of data size check - CVE-2025-58754
- Remote code execution via the `pretty` option. - CVE-2021-21353
- axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - CVE-2025-27152
- Vite bypasses server.fs.deny when using ?raw?? - CVE-2025-30208
- Tags:
- npm
- axios
Anything's wrong? Let us know Last updated on June 21, 2024