The Virsec Security Research Lab provides detailed analysis on recent and notable security vulnerabilities, like this NPM ip package vulnerable to server-side request forgery (SSRF) attacks
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker can bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Watch the video to learn more about this and other important vulnerabilities.
The CVSS Base Score is 9.8 (Critical)
Axios Version [0.21.0]
Node.js Version [v12.18.2]
This vulnerability is reported by the Github Project.
This NPM make XMLHttpRequests from the browser; makes http requests from node.js; supports the Promise API; intercept request and response; transform request and response data; cancels requests; automatically transforms JSON data; client-side support for protecting against XSRF
In cases where Axios is used by servers to perform http requests to user-supplied URLs, a proxy is commonly used to protect internal networks from unauthorized access and SSRF. This bug enables an attacker to bypass the proxy by providing a URL that responds with a redirect to a restricted host/IP. Public exploit for this vulnerability exists here.
The Virsec Security Platform (VSP)-Web can detect SSRF attacks and prevent this attack from being exploited.
Download the full vulnerability report to learn more about this and other important vulnerabilities.
Jump to: List of CVE Vulnerabilities