Description
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Recommendation
Update the axios package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.21.1
- Patched version(s): 0.21.1
References
- GHSA-4w2v-q235-vp99
- snyk.io
- www.npmjs.com
- lists.apache.org
- cert-portal.siemens.com
- CVE-2020-28168
- CWE-918
- CAPEC-310
- OWASP 2021-A10
- OWASP 2021-A6
Related Issues
- cors-anywhere vulnerable to server-side request forgery - CVE-2020-36851
- Server-Side Request Forgery in @uppy/companion - @uppy/companion - CVE-2020-8135
- RSSHub vulnerable to Server-Side Request Forgery - CVE-2024-27927
- uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) - uppy - CVE-2022-0086
You might also like:
- Tags:
- npm
- axios
Anything's wrong? Let us know Last updated on February 01, 2023