Blog
11.25.2020

CVE-2020-28168 Axios NPM SSRF Exploit

NPM Axios vulnerability

The Virsec Security Research Lab provides detailed analysis on recent and notable security vulnerabilities, like this NPM ip package vulnerable to server-side request forgery (SSRF) attacks

Vulnerability Summary

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker can bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Watch the video to learn more about this and other important vulnerabilities.

CVSS Score

The CVSS Base Score is 9.8 (Critical)

Affected Version

Axios Version [0.21.0]
Node.js Version [v12.18.2]

Vulnerability Attribution

This vulnerability is reported by the Github Project.

Risk Impact

This NPM make XMLHttpRequests from the browser; makes http requests from node.js; supports the Promise API; intercept request and response; transform request and response data; cancels requests; automatically transforms JSON data; client-side support for protecting against XSRF

In cases where Axios is used by servers to perform http requests to user-supplied URLs, a proxy is commonly used to protect internal networks from unauthorized access and SSRF. This bug enables an attacker to bypass the proxy by providing a URL that responds with a redirect to a restricted host/IP. Public exploit for this vulnerability exists here.

Virsec Security Platform (VSP) Support

The Virsec Security Platform (VSP)-Web can detect SSRF attacks and prevent this attack from being exploited.

Reference Links

Download the full vulnerability report to learn more about this and other important vulnerabilities.

Jump to: List of CVE Vulnerabilities

About the Author
Satya Gupta is Virsec’s visionary founder, with over 25 years of expertise in embedded systems, network security and systems architecture. Satya has helped build and guide the company through key growth phases from initial funding (2015), developing core technology with key partners including Raytheon and Lockheed (2016-2018), to launching an enterprise class, GA product (2019). Prior to this, Satya built a highly profitable software design and consulting business targeting data networking, application security and industrial automation projects. He was also Director of Firmware Engineering at Narad Networks and Managing Director and Chief Engineer at Eastern Telecom and Tech Ltd. Satya has more than 40 patents in complex firmware architecture with products deployed to hundreds of thousands of users. He holds a BS degree in Engineering from the Indian Institute of Technology in Kanpur and additional degrees from the University of Massachusetts at Lowell.