Description
axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.
Recommendation
Update the axios package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.3.2, <= 1.7.3
- Patched version(s): 1.7.4
References
Related Issues
- Axios vulnerable to Server-Side Request Forgery - CVE-2020-28168
- RSSHub vulnerable to Server-Side Request Forgery - CVE-2024-27927
- Strapi Server-Side Request Forgery (SSRF) - CVE-2024-37818
- Nuxt Icon affected by a Server-Side Request Forgery (SSRF) - CVE-2024-42352
You might also like:
- Tags:
- npm
- axios
Anything's wrong? Let us know
Last updated on August 13, 2024