Description
axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.
Recommendation
Update the axios package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.3.2, <= 1.7.3
- Patched version(s): 1.7.4
References
Related Issues
- axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - CVE-2025-27152
- PrismJS DOM Clobbering vulnerability - CVE-2024-53382
- qs vulnerable to Prototype Pollution - CVE-2022-24999
- axios Inefficient Regular Expression Complexity vulnerability - CVE-2021-3749
- Tags:
- npm
- axios
Anything's wrong? Let us know Last updated on August 13, 2024