Weakness
The Axios library, version 0.21.4
Description
Vulnerability Description:
The Axios library, version 0.21.4, is vulnerable to two medium-severity vulnerabilities:
Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2023-45857): Axios is vulnerable to CSRF attacks, which could allow an attacker to perform unauthorized actions on behalf of the user.
Proxy Authentication Credentials Leak (GHSA-wf5p-g6vw-rhxx): Axios depends on the follow-redirects library, which has a vulnerability that could leak proxy authentication credentials.
Impact:
CSRF Vulnerability: An attacker could use this vulnerability to perform unauthorized actions on behalf of the user, such as changing their account settings or making unauthorized requests.
Proxy Authentication Credentials Leak: An attacker could use this vulnerability to obtain the proxy authentication credentials, which could be used to access sensitive information or systems.
Remediation:
Update Axios to a secure version: Update Axios to version 1.6.8 or later, which fixes the CSRF vulnerability.
Update follow-redirects to a secure version: Update the follow-redirects library to version 1.15.6 or later, which fixes the proxy authentication credentials leak vulnerability.
Implement CSRF protection: Implement CSRF protection measures, such as using the csrf middleware in your application.
Use a secure proxy configuration: Use a secure proxy configuration that does not leak authentication credentials.
Steps to Reproduce:
Create a test environment: Create a test environment with Axios version 0.21.4 and a vulnerable version of follow-redirects.
Send a request with a malicious redirect: Send a request to the test environment with a malicious redirect that triggers the CSRF vulnerability.
Verify the response: Verify that the response contains the proxy authentication credentials.
Hello. KUR.
I’m Donna.
The ticket you reported is a report that only suggests the possibility of exploitation.
Therefore, since it is not a vulnerability, we will terminate it.