Server-Side Request Forgery in axios

Description

axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

Recommendation

Update the axios package to the latest compatible version. Followings are version details:

• Affected version(s): >= 1.3.2, <= 1.7.3
• Patched version(s): 1.7.4

References

• GHSA-8hc4-vh64-cxmj
• jeffhacks.com
• CVE-2024-39338
• CWE-918
• CAPEC-310
• OWASP 2021-A10
• OWASP 2021-A6

Related Issues

• Axios vulnerable to Server-Side Request Forgery - CVE-2020-28168
• Strapi Server-Side Request Forgery (SSRF) - CVE-2024-37818
• Nuxt Icon affected by a Server-Side Request Forgery (SSRF) - CVE-2024-42352
• lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability - CVE-2024-32964

Tags:

npm

axios