axios 1.2.0 vulnerabilities

Known vulnerabilities in the axios package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via `setAttribute('href' href)` in `/axios/dist/axios.js` due to improper input sanitization. How to fix Cross-site Scripting (XSS)? Upgrade `axios` to version 1.7.8 or higher.	<1.7.8
H Prototype Pollution axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Prototype Pollution via the `formDataToJSON` function. How to fix Prototype Pollution? Upgrade `axios` to version 0.29.0, 1.6.4 or higher.	>=0.28.0 <0.29.0>=1.0.0 <1.6.4
M Regular Expression Denial of Service (ReDoS) axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). An attacker can deplete system resources by providing a manipulated string as input to the format method, causing the regular expression to exhibit a time complexity of `O(n^2)`. This makes the server to become unable to provide normal service due to the excessive cost and time wasted in processing vulnerable regular expressions. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `axios` to version 0.29.0, 1.6.3 or higher.	<0.29.0>=1.0.0 <1.6.3
H Cross-site Request Forgery (CSRF) axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to inserting the `X-XSRF-TOKEN` header using the secret `XSRF-TOKEN` cookie value in all requests to any server when the `XSRF-TOKEN`0 cookie is available, and the `withCredentials` setting is turned on. If a malicious user manages to obtain this value, it can potentially lead to the XSRF defence mechanism bypass. How to fix Cross-site Request Forgery (CSRF)? Upgrade `axios` to version 0.28.0, 1.6.0 or higher.	>=0.8.1 <0.28.0>=1.0.0 <1.6.0

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via setAttribute('href' href) in /axios/dist/axios.js due to improper input sanitization.

How to fix Cross-site Scripting (XSS)?

Upgrade axios to version 1.7.8 or higher.

<1.7.8

Prototype Pollution

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Prototype Pollution via the formDataToJSON function.

How to fix Prototype Pollution?

Upgrade axios to version 0.29.0, 1.6.4 or higher.

>=0.28.0 <0.29.0>=1.0.0 <1.6.4

Regular Expression Denial of Service (ReDoS)

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). An attacker can deplete system resources by providing a manipulated string as input to the format method, causing the regular expression to exhibit a time complexity of O(n^2). This makes the server to become unable to provide normal service due to the excessive cost and time wasted in processing vulnerable regular expressions.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade axios to version 0.29.0, 1.6.3 or higher.

<0.29.0>=1.0.0 <1.6.3

Cross-site Request Forgery (CSRF)

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to inserting the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in all requests to any server when the XSRF-TOKEN0 cookie is available, and the withCredentials setting is turned on. If a malicious user manages to obtain this value, it can potentially lead to the XSRF defence mechanism bypass.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade axios to version 0.28.0, 1.6.0 or higher.

>=0.8.1 <0.28.0>=1.0.0 <1.6.0

axios@1.2.0 vulnerabilities

Promise based HTTP client for the browser and node.js

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?