Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS04aGM0LXZoNjQtY3htas4AA-hD

High EPSS: 0.02141% (0.84553 Percentile) EPSS:
Permalink JSON

Server-Side Request Forgery in axios

Affected Packages Affected Versions Fixed Versions
npm:axios
PURL: pkg:npm/axios
>= 1.3.2, <= 1.7.3 1.7.4
97,210 Dependent packages
453,457 Dependent repositories
464,177,977 Downloads last month

Affected Version Ranges

All affected versions

1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.7.0, 1.7.0-beta.0, 1.7.0-beta.1, 1.7.0-beta.2, 1.7.1, 1.7.2, 1.7.3

All unaffected versions

0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.10.0, 0.11.0, 0.11.1, 0.12.0, 0.13.0, 0.13.1, 0.14.0, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.16.0, 0.16.1, 0.16.2, 0.17.0, 0.17.1, 0.18.0, 0.18.1, 0.19.0, 0.19.1, 0.19.2, 0.20.0, 0.21.0, 0.21.1, 0.21.2, 0.21.3, 0.21.4, 0.22.0, 0.23.0, 0.24.0, 0.25.0, 0.26.0, 0.26.1, 0.27.0, 0.27.1, 0.27.2, 0.28.0, 0.28.1, 0.29.0, 0.30.0, 0.30.1, 0.30.2, 0.30.3, 0.30.4, 0.31.0, 0.31.1, 0.32.0, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.3.0, 1.3.1, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.9.0, 1.10.0, 1.11.0, 1.12.0, 1.12.1, 1.12.2, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.13.6, 1.14.0, 1.14.1, 1.15.0, 1.15.1, 1.15.2, 1.16.0, 1.16.1, 1.17.0

Potentially Affected Packages

These packages share the same source repository and may be affected by this vulnerability, but are not listed in the advisory.

Package Ecosystem Latest Version Classification
@depup/axios npm Likely Fork
@weyforth/axios npm 0.18.1 Likely Fork
@livepeer/axios npm 0.19.2 Likely Fork
@mxw/axios npm 1.0.0-alpha.6 Likely Fork
@zahiruddinnorzain/axios npm 1.4.0 Likely Fork
@briefy/axios npm 0.19.0 Likely Fork
@pansy/axios npm 0.2.0 Likely Fork
@justinbeckwith/axios npm 0.1.1 Likely Fork
@bmy/axios npm 0.19.3 Likely Fork
@sppk/axios npm 0.24.1 Likely Fork
@unional/axios npm 1.3.3 Likely Fork
@looko/axios npm 1.7.9 Likely Fork
@voypost/axios npm 0.19.1 Likely Fork
@sqwiroux/axios npm 1.8.4 Likely Fork
@ikonintegration/axios npm 0.19.3 Likely Fork
github.com/axios/Axios go v1.13.5 Repackage
axios nuget 0.16.2 Repackage
github.com/axios/axios go v1.13.5 Repackage

Package Ecosystem Latest Version
bill-axios npm 1.0.0
redroseaxxios npm 1.0.0
gc-axios npm 0.19.1
csap-axios npm 1.0.1
axios-cancel bower v1.13.3
axios-node-v1 npm 0.24.0
fetch-like-axios npm 0.0.5
mhyaxios2 npm 0.21.1
chensi_axios npm 0.18.2
tc-public-assembly npm 0.1.1
wax-match-axios-client npm 1.4.0
axiosforfivem npm 1.0.1
@huangjingjing/axios-fetch npm 1.0.7
org.webjars.npm:types__axios maven 0.14.0
axios-redos-fixed npm 1.6.4
astmain npm 2.0.1
resmic_adi_test npm 1.0.2
axios-temp npm 0.19.1
jfaxios npm 0.0.4
axiosttt npm 0.21.6
wechat_axios npm 0.19.0-beta.2
axios-quick npm 0.19.1
axios-advanced npm 1.7.2
axios-mini npm 1.4.0
axios-dev2 npm 0.0.3
axios-mp npm 1.0.2
org.webjars.npm:axios maven 1.13.5
@podong-e/my_npm_module npm 0.19.0-beta.1
min_axios npm 0.1.8
@neonmaster/axios-hehe npm 1.10.0
community-axios npm 0.19.1
org.webjars.bowergithub.axios:axios maven 1.5.0
axios-dm npm 0.26.3
axioswill npm 0.18.0
wangin-axios npm 0.1.0
@extscreen/es3-axios npm 0.0.1-alpha.3
abs1004-axios npm 0.21.4
tj-axios npm 0.17.1
lunare-http npm 0.0.1
mapsdk_test npm 1.0.2
dy-axios npm 0.18.1
gas-axios npm 0.18.0
@testuser__/axios_test npm 1.2.8
contractq-axios npm 1.7.5
abs1118-axios npm 0.21.0
ahxios npm 0.19.2
hd_axios npm 1.0.2
anime-axios npm 0.1.1
kickstand-axios npm 0.21.5
six-axios npm 1.6.8
@lcap/axios-fixed npm 1.13.4
axios-sky npm 1.7.2
red-wxaxios npm 1.0.0
axios-for-nuxt npm 0.19.0
axiosync npm 0.19.0-beta.4
axios.js nuget 0.18.0
org.mvnpm:axios maven 1.13.5
caxios2020 npm 0.19.8
basic_kim_math npm 1.1.1
tauri-axios-wrapper npm 1.7.9
org.webjars.bower:axios maven 0.21.1
axl0s npm 1.0.0
ca-axios npm
axiosqqq npm

axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

References:

Identifiers

GHSA-8hc4-vh64-cxmj

CVE-2024-39338

Risk

Severity

High

EPSS

EPSS Percentage: 0.02141

EPSS Percentile: 0.84553

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/axios/axios
View on Ecosyste.ms

Date and time

Published

almost 2 years ago

Updated

8 days ago

API

JSON