RUN-3628: CVE Mitigations

[fdevans]

CVE-2023-45857 Mitigation Analysis & Impact Assessment

✅ Confirmed: Upgrade to axios 0.28.0 Successfully Mitigates CVE-2023-45857
CVE Details:

CVE ID: CVE-2023-45857
Severity: 6.5/10 (Medium)
Issue: XSRF-TOKEN cookie value disclosed in X-XSRF-TOKEN header to unauthorized third-party hosts
Affected Versions: 0.8.1 through 1.5.1 (and 0.x versions < 0.28.0)
Impact Assessment
✅ Minimal Breaking Changes Expected
Why the upgrade is safe for this project:

No XSRF Token Usage: The codebase analysis shows no explicit usage of XSRF/CSRF tokens:

No xsrfCookieName, xsrfHeaderName, or withXSRFToken configurations found
The main axios usage is for basic authentication (j_security_check endpoints)
Simple HTTP Patterns: The project uses straightforward HTTP POST requests with:

Form parameters (j_username, j_password)
Basic headers and validation
No complex XSRF token handling
withCredentials Usage: While the README shows {withCredentials: true}, this is used with the @azure/ms-rest-js client, not directly with axios calls.

Breaking Change Details (axios 0.x → 0.28.0)
The main breaking change introduced in 0.28.0 is:

XSRF tokens are no longer sent by default to cross-origin requests
Applications that relied on automatic XSRF token inclusion need to explicitly enable it with withXSRFToken: true
This change does NOT affect this project because:

No XSRF token functionality is used
All axios calls are for same-origin authentication endpoints
No cross-site request patterns that would be affected
Additional Considerations
TypeScript Compatibility: ✅ Resolved

Updated TypeScript from 3.8.3 → 4.9.5 to support axios 0.28.0 type definitions
All existing code patterns remain compatible
Other Security Vulnerabilities: ⚠️ Note

A newer vulnerability (CVE-2025-27152) affects axios < 0.30.0
This is a different SSRF/credential leakage issue (not related to XSRF tokens)
Can be addressed in a future upgrade if needed
Recommended Actions
✅ Immediate (Completed)
Upgrade axios: 0.21.3 → 0.28.0 ✅
Upgrade TypeScript: 3.8.3 → ^4.5.0 ✅
Verification: CVE-2023-45857 no longer appears in npm audit ✅
🔄 Future Considerations
Monitor for axios 0.30.0: Consider upgrading to address CVE-2025-27152 when appropriate
Test thoroughly: While minimal impact expected, run full test suite
Review dependencies: Other moderate/high vulnerabilities exist in @azure/ms-rest-js, fetch-mock, etc.
Conclusion
✅ The upgrade to axios 0.28.0 successfully mitigates CVE-2023-45857 with minimal risk of breaking changes for this project. The codebase uses simple HTTP authentication patterns that are unaffected by the XSRF token behavior changes introduced in the security fix.

CVE-2025-27152 Mitigation Analysis & Impact Assessment

✅ Confirmed: Upgrade to axios 0.30.0 Successfully Mitigates CVE-2025-27152
CVE Details:

CVE ID: CVE-2025-27152
Severity: 7.7/10 (High)
Issue: SSRF and credential leakage via absolute URLs when baseURL is configured
Affected Versions: < 0.30.0 (0.x branch) and >= 1.0.0, < 1.8.2 (1.x branch)
Impact Assessment
✅ No Breaking Changes Expected
Why this upgrade is safe for this project:

No axios.create() with baseURL: The codebase doesn't use axios.create() with baseURL configuration
Direct URL construction: All axios calls use complete URLs constructed via string interpolation:
No vulnerable patterns: The SSRF vulnerability only affects scenarios where:
A baseURL is configured on an axios instance
AND absolute URLs are passed to request methods
This project does neither
Technical Details
The fix introduces an allowAbsoluteUrls option that defaults to false. When baseURL is set and an absolute URL is passed, axios now:

Before 0.30.0: Would ignore baseURL and send requests to the absolute URL (vulnerable to SSRF)
After 0.30.0: Blocks absolute URLs by default, preventing SSRF attacks
This project's usage patterns:

✅ No baseURL configuration in axios calls
✅ Uses complete URLs like ${baseUri}/j_security_check
✅ No dynamic URL parameters that could be exploited
✅ All requests go to the expected Rundeck endpoints
Verification
✅ Security audit confirmation: CVE-2025-27152 no longer appears in npm audit ✅ TypeScript compatibility: Code compiles successfully with no type errors ✅ Axios usage patterns: All existing patterns remain unaffected

Remaining Vulnerabilities
The audit now shows 5 vulnerabilities (down from 6):

axios: ✅ Fixed - Both CVE-2023-45857 and CVE-2025-27152 resolved
path-to-regexp: ⚠️ Used by fetch-mock (dev dependency)
tough-cookie, xml2js: ⚠️ Used by @azure/ms-rest-js
Summary
🎉 Both major axios vulnerabilities have been successfully mitigated:

CVE-2023-45857 (XSRF token leakage) ✅ Fixed in 0.28.0
CVE-2025-27152 (SSRF/credential leakage) ✅ Fixed in 0.30.0
The upgrade path 0.21.3 → 0.28.0 → 0.30.0 introduces no breaking changes for this project's usage patterns and significantly improves the security posture.

Additionally RESOLVED (Major Impact)

CVE-2023-45857 (XSRF token leakage) - Fixed by axios 0.28.0 ✅
CVE-2025-27152 (SSRF/credential leakage) - Fixed by axios 0.30.0 ✅
CVE-2023-26136 (tough-cookie prototype pollution) - Fixed by @azure/ms-rest-js 2.7.0 ✅
xml2js prototype pollution - Fixed by @azure/ms-rest-js 2.7.0 ✅

[Copilot]

Pull Request Overview

This PR upgrades critical dependencies to mitigate several high-severity CVEs, focusing on axios security vulnerabilities and related dependency fixes.

• Upgrades axios from 0.21.3 to 0.30.0 to fix CVE-2023-45857 (XSRF token leakage) and CVE-2025-27152 (SSRF/credential leakage)
• Updates @azure/ms-rest-js from 2.0.7 to 2.7.0 to resolve CVE-2023-26136 and xml2js prototype pollution vulnerabilities
• Upgrades TypeScript from 3.8.3 to 4.5.0 for compatibility with newer axios type definitions

Comments suppressed due to low confidence (1)

package.json:32

• The TypeScript version ^4.5.0 is using a caret range that may include versions beyond 4.5.x. Consider using a more specific version like "4.9.5" as mentioned in the PR description, or at minimum "~4.5.0" to avoid potential compatibility issues with major version changes.

    "typescript": "^4.5.0"