NPM Axios vulnerability
The Virsec Security Research Lab provides detailed analysis on recent and notable security vulnerabilities, like this NPM ip package vulnerable to server-side request forgery (SSRF) attacks
Vulnerability Summary
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker can bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Watch the video to learn more about this and other important vulnerabilities.
CVSS Score
The CVSS Base Score is 9.8 (Critical)
Affected Version
Axios Version [0.21.0]
Node.js Version [v12.18.2]
Vulnerability Attribution
This vulnerability is reported by the Github Project.
Risk Impact
This NPM make XMLHttpRequests from the browser; makes http requests from node.js; supports the Promise API; intercept request and response; transform request and response data; cancels requests; automatically transforms JSON data; client-side support for protecting against XSRF
In cases where Axios is used by servers to perform http requests to user-supplied URLs, a proxy is commonly used to protect internal networks from unauthorized access and SSRF. This bug enables an attacker to bypass the proxy by providing a URL that responds with a redirect to a restricted host/IP. Public exploit for this vulnerability exists here.
Virsec Security Platform (VSP) Support
The Virsec Security Platform (VSP)-Web can detect SSRF attacks and prevent this attack from being exploited.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2020-28168
- https://github.com/axios/axios/issues/3369
- CVE vulnerability list
Download the full vulnerability report to learn more about this and other important vulnerabilities.
Jump to: List of CVE Vulnerabilities
