Description
axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.
Recommendation
Update the axios package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.3.2, <= 1.7.3
- Patched version(s): 1.7.4
References
Related Issues
- Axios is vulnerable to DoS attack through lack of data size check - CVE-2025-58754
- qs vulnerable to Prototype Pollution - CVE-2022-24999
- axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - CVE-2025-27152
- axios Inefficient Regular Expression Complexity vulnerability - CVE-2021-3749
- Tags:
- npm
- axios
Anything's wrong? Let us know Last updated on August 13, 2024