NodeJS/axios/1.7.3
Promise based HTTP client for the browser and node.js
https://www.npmjs.com/package/axios
MIT
1 Security Vulnerabilities
Server-Side Request Forgery in axios
Published date: 2024-08-12T15:30:49Z
CVE: CVE-2024-39338
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2024-39338
- https://github.com/axios/axios/releases
- https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html
- https://github.com/axios/axios/issues/6463
- https://github.com/axios/axios/pull/6539
- https://github.com/advisories/GHSA-8hc4-vh64-cxmj
- https://github.com/axios/axios/pull/6543
- https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a
- https://github.com/axios/axios/releases/tag/v1.7.4
axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.
Affected versions:
["1.3.2", "1.3.3", "1.3.4", "1.3.5", "1.3.6", "1.4.0", "1.5.0", "1.5.1", "1.6.0", "1.6.1", "1.6.2", "1.6.3", "1.6.4", "1.6.5", "1.6.6", "1.6.7", "1.6.8", "1.7.0-beta.0", "1.7.0-beta.1", "1.7.0-beta.2", "1.7.0", "1.7.1", "1.7.2", "1.7.3"]
Secure versions:
[1.0.0-alpha.1, 0.28.0, 0.28.1, 1.7.4, 1.7.5, 1.7.6, 1.7.7]
Recommendation:
Update to version 1.7.7.
104 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 0.2.2 | MIT | 3 | 2014-09-15 - 03:30 | about 10 years |
| 0.2.1 | MIT | 3 | 2014-09-12 - 22:57 | about 10 years |
| 0.2.0 | MIT | 3 | 2014-09-12 - 20:06 | about 10 years |
| 0.1.0 | MIT | 3 | 2014-08-29 - 23:08 | about 10 years |