Cross-site Request Forgery (CSRF) Affecting axios package, versions >0.8.1 <1.6.0


0.0
high

Snyk CVSS

    Attack Complexity Low
    User Interaction Required
    Confidentiality High

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.06% (21st percentile)
Expand this section
NVD
6.5 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-AXIOS-6032459
  • published 25 Oct 2023
  • disclosed 23 Oct 2023
  • credit Valentin Panov

How to fix?

Upgrade axios to version 1.6.0 or higher.

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to inserting the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in all requests to any server when the XSRF-TOKEN0 cookie is available, and the withCredentials setting is turned on. If a malicious user manages to obtain this value, it can potentially lead to the XSRF defence mechanism bypass.

Workaround

Users should change the default XSRF-TOKEN cookie name in the Axios configuration and manually include the corresponding header only in the specific places where it's necessary.