Description
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Recommendation
Update the axios package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.21.1
- Patched version(s): 0.21.1
References
- GHSA-4w2v-q235-vp99
- snyk.io
- www.npmjs.com
- lists.apache.org
- cert-portal.siemens.com
- CVE-2020-28168
- CWE-918
- CAPEC-310
- OWASP 2021-A10
- OWASP 2021-A6
Related Issues
- cors-anywhere vulnerable to server-side request forgery - CVE-2020-36851
- uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) (GHSA-x8rq-rc7x-5fg5) - CVE-2022-0086
- Server-Side Request Forgery in @uppy/companion - CVE-2020-8205
- Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module - CVE-2025-62505
- Tags:
- npm
- axios
Anything's wrong? Let us know Last updated on February 01, 2023