Description
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Recommendation
Update the axios package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.21.1
- Patched version(s): 0.21.1
References
- GHSA-4w2v-q235-vp99
- snyk.io
- www.npmjs.com
- lists.apache.org
- cert-portal.siemens.com
- CVE-2020-28168
- CWE-918
- CAPEC-310
- OWASP 2021-A10
- OWASP 2021-A6
Related Issues
- Axios is vulnerable to DoS attack through lack of data size check - CVE-2025-58754
- mongosh vulnerable to local privilege escalation - CVE-2025-1756
- axios Inefficient Regular Expression Complexity vulnerability - CVE-2021-3749
- Incorrect default cookie name and recommendation - Vulnerability
- Tags:
- npm
- axios
Anything's wrong? Let us know Last updated on February 01, 2023