Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[GHSA-jr5f-v2jv-69x6] axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL #5420

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[GHSA-jr5f-v2jv-69x6] axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL #5420

wants to merge 1 commit into from

Conversation

vvalekk
Copy link

@vvalekk vvalekk commented Mar 31, 2025

Updates

  • CVSS v4
  • Severity

Comments
Audit keeps reporting this as a vulnerability even when using 0.30.0. Probably because the patched in rule says ' >=1.8.2' instead of 0.30.0 when < 1.0

@github
Copy link
Collaborator

github commented Mar 31, 2025

Hi there @jasonsaayman! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

@github-actions github-actions bot changed the base branch from main to vvalekk/advisory-improvement-5420 March 31, 2025 13:25
@sgleisner
Copy link

Version 0.30.0 was included as a patched version in #5411, and at least on my end, the audit is not showing the vulnerability when using 0.30.0.

Could it be a cache issue on your side, @vvalekk ?

@shelbyc
Copy link
Contributor

shelbyc commented Mar 31, 2025

Hi @vvalekk, as @sgleisner mentioned, 0.30.0 is listed as a patched version in GHSA-jr5f-v2jv-69x6. If you're having trouble with a Dependabot alert, you may need to reach out to http://support.github.com/. I'm closing this PR because issues with specific users' alerts are beyond the scope of advisory content concerns.

@shelbyc shelbyc closed this Mar 31, 2025
@shelbyc shelbyc deleted the vvalekk-GHSA-jr5f-v2jv-69x6 branch March 31, 2025 17:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@vvalekk @github @sgleisner @shelbyc