Server-Side Request Forgery in Axios NPM Package
CVE-2020-28168

5.9MEDIUM

Key Information:

Vendor

Axios

Status
Axios
Vendor
CVE Published:
6 November 2020

What is CVE-2020-28168?

The Axios NPM package version 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability, allowing attackers to exploit the package by crafting a specific URL. This exploit enables them to bypass proxy configurations and access restricted hosts or IP addresses through redirect responses, posing significant security risks to systems utilizing this package.

References

https://github.com/axios/axios/issues/3369
x_refsource_MISC
https://lists.apache.org/thread.html/r954d80fd18e9dafef6e...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r25d53acd06f29244b8a...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.