HTTP Response Splittingorg.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js.
Affected versions of this package are vulnerable to HTTP Response Splitting via the parseTokens header processing path in lib/core/AxiosHeaders.js. An attacker can smuggle HTTP requests or inject arbitrary headers by supplying a header value containing \r\n, which Axios merges into an outbound request. Under specific conditions, this can be used to exfiltrate cloud metadata tokens, pivot into internal services, or poison downstream HTTP traffic.
Notes
- Exploitation requires prior successful prototype pollution in a third-party dependency, enabling attacker-controlled header data to flow into Axios via configuration merging or
AxiosHeaders.set(...).
- IMDSv2 token exfiltration (described in the original vulnerability report as another step in the exploit chain following the smuggling of a
PUT request) further depends on the application running in an AWS environment with instance metadata access enabled, and on the Axios process having network access to the metadata endpoint.
- A possible but uncommon vector mentioned in the maintainers' advisory relies on the use of a non standard Axios transport mechanism, e.g. a custom adapter, to bypass Node.js header validation, thereby permitting malformed or injected header values to be transmitted without rejection. In most cases, this vector is blocked by Node.JS's built in header validation.
How to fix HTTP Response Splitting? Upgrade org.webjars.npm:axios to version 1.15.0 or higher.
| |
Unintended Proxy or Intermediary ('Confused Deputy')org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js.
Affected versions of this package are vulnerable to Unintended Proxy or Intermediary ('Confused Deputy') via improper hostname normalization in the NO_PROXY environment variable. An attacker controlling request URLs can access internal or loopback services by crafting requests (with a trailing dot or [::1]) that bypass proxy restrictions, causing sensitive requests to be routed through an unintended proxy.
Note:
This is only exploitable if the application relies on NO_PROXY=localhost,127.0.0.1,::1 for protecting loopback/internal access.
How to fix Unintended Proxy or Intermediary ('Confused Deputy')? Upgrade org.webjars.npm:axios to version 1.15.0 or higher.
| |
Allocation of Resources Without Limits or Throttlingorg.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the Http2Sessions.getSession() function in the HTTP/2 session cleanup. An attacker can cause the client process to crash by establishing multiple concurrent HTTP/2 sessions and then closing all sessions simultaneously from a malicious server.
How to fix Allocation of Resources Without Limits or Throttling? Upgrade org.webjars.npm:axios to version 1.14.0 or higher.
| |
Prototype Pollutionorg.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js.
Affected versions of this package are vulnerable to Prototype Pollution via the mergeConfig function. An attacker can cause the application to crash by supplying a malicious configuration object containing a __proto__ property, typically by leveraging JSON.parse().
How to fix Prototype Pollution? Upgrade org.webjars.npm:axios to version 1.13.5 or higher.
| |
