Virsec Security Research Lab Vulnerability Analysis
The Virsec Security Research Lab provides detailed analysis on recent and notable security vulnerabilities.
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker can bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Watch the video to learn more about this and other important vulnerabilities.
The CVSS Base Score is 9.8 (Critical)
Axios Version [0.21.0] Node.js Version [v12.18.2]
This vulnerability is reported by the Github Project.
This NPM make XMLHttpRequests from the browser; makes http requests from node.js; supports the Promise API; intercept request and response; transform request and response data; cancels requests; automatically transforms JSON data; client side support for protecting against XSRF
In cases where Axios is used by servers to perform http requests to user-supplied URLs, a proxy is commonly used to protect internal networks from unauthorized access and SSRF. This bug enables an attacker to bypass the proxy by providing a URL that responds with a redirect to a restricted host/IP. Public exploit for this vulnerability exists here.
Virsec Security Platform (VSP) Support
The Virsec Security Platform (VSP)-Web can detect SSRF attacks and prevent this attack from being exploited.