Description
axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.
Recommendation
Update the axios package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.3.2, <= 1.7.3
- Patched version(s): 1.7.4
References
Related Issues
- Strapi allows Server-Side Request Forgery in Webhook function - CVE-2024-52588
- Strapi Server-Side Request Forgery (SSRF) - CVE-2024-37818
- Nuxt Icon affected by a Server-Side Request Forgery (SSRF) - CVE-2024-42352
- lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability - CVE-2024-32964
You might also like:
- Tags:
- npm
- axios
Anything's wrong? Let us know Last updated on August 13, 2024