Server-Side Request Forgery in Axios NPM Package
CVE-2020-28168

5.9MEDIUM

Key Information:

Vendor: Axios
Status: Axios
Vendor: CVE Published:; 6 November 2020

🔔 Create Axios Vulnerability Alert

What is CVE-2020-28168?

The Axios NPM package version 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability, allowing attackers to exploit the package by crafting a specific URL. This exploit enables them to bypass proxy configurations and access restricted hosts or IP addresses through redirect responses, posing significant security risks to systems utilizing this package.

References

https://github.com/axios/axios/issues/3369

x_refsource_MISC

https://lists.apache.org/thread.html/r954d80fd18e9dafef6e...

mailing-listx_refsource_MLIST

https://lists.apache.org/thread.html/r25d53acd06f29244b8a...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 6, 2020
Vulnerability Reserved
Nov 2, 2020

.

CVE-2020-28168 : Server-Side Request Forgery in Axios NPM Package