Description
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Recommendation
Update the axios package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.21.1
- Patched version(s): 0.21.1
References
- GHSA-4w2v-q235-vp99
- snyk.io
- www.npmjs.com
- lists.apache.org
- cert-portal.siemens.com
- CVE-2020-28168
- CWE-918
- CAPEC-310
- OWASP 2021-A10
- OWASP 2021-A6
Related Issues
- cors-anywhere vulnerable to server-side request forgery - CVE-2020-36851
- Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module - CVE-2025-62505
- Server-Side Request Forgery in @uppy/companion (GHSA-mm7r-265w-jv6f) - CVE-2020-8135
- pdfmake is vulnerable to server-side request forgery (SSRF) - CVE-2026-26801
- Tags:
- npm
- axios
Anything's wrong? Let us know Last updated on February 01, 2023