A Denial of Service vulnerability discovered in the Axios JavaScript package - affecting all versions of the popular HTTP client

Written by:

May 6, 2019

0 mins read

axios is a popular promise-based modern JavaScript HTTP client which is commonly used for browser and Node.js server projects, receiving more than 3 million weekly downloads from npm.

Snyk logged a Denial of Service medium severity (5.3 CVSS) security vulnerability affecting axios, which was discussed and shared as early as 2017 by developer Jeremy Apthorp in the project’s GitHub issue queue.

Affected versions of axios are vulnerable to Denial of Service (DoS) because content continues to be processed from requests even after maxContentLength is exceeded, causing increased I/O and CPU usage.

About the vulnerability

Anthorp shared a code snippet in the GitHub issue to show an example use-case of the axios API limits the size of the received HTTP response:

  { maxContentLength: 2000 }
  .then(d => console.log('done'))
  .catch(e => console.log(e.toString()))

However, regardless of the content length limit, the HTTP connection stays open until the complete file size data has transferred, therefore allowing anyone who controls the remote domain, or eavesdropping on an insecure wire, to provide a large file size and block the request from completing for a significant amount of time.

No official fix for this vulnerability has been published at the time of writing this article, but community involvement in the form of a Pull Request to fix the issue was opened in the project’s GitHub repository and is waiting to be merged and released.

Snyk users are protected by applying a security patch for versions >= 0.17.0 of axios that will mitigate the denial of service vulnerability.

Connect your repository and apply the patch.

UPDATE 31/05/2019: A fix has been released and available in axios versions >= 0.19.0

Snyk identified the vulnerability in over 215,000 projects scanned and immediately alerted our relevant users. Those of our users who have been using our runtime security monitoring solution were not only made aware of the vulnerability but were also informed of the urgency in which it needs to be addressed, due to the fact that in most cases it is reachable within the application’s runtime code flow, and therefore can be exploited in high probability.

In the case of axios, the runtime security monitoring integration with their application helped increase their ability to identify live production deployment security issues.

Does it affect me and what should I do?

If you are requesting resources from untrusted sources, or via insecure mediums, then you are potentially vulnerable to Denial of Service where malicious users can control the remote resource.

When using axios in a Node.js server this can be disastrous due to the single threaded nature of the runtime. A spike in resources such as I/O and CPU negatively affect all users connected to that server. In browser environments, the Denial of Service negatively affects end-users with varying severity, depending on how the resource fetching with axios is used in the application.

What should I do?

A note about open source project health

Open source maintenance can be more and more challenging as a project grows in popularity. Issues grow in numbers, requiring evermore attention; documentation work to be created and kept up-to-date increases; along with bug fixes and stable releases, just to name some tasks of the work that is expected from project maintainers, and is often times delivered completely voluntarily.

Choosing your open source dependencies should be done with due diligence in order to minimize disruptions for your project as much as possible. Following are several aspects of the axios project dependency health information that we can learn from Snyk’s insights:

  • axios first published its 0.1.0 version 5 years ago, on 29 Aug, 2014.

  • The latest stable version 0.18.0 was published 9 month ago, on 19 Feb, 2018.

  • All released versions are affected by the aforementioned Denial of Service vulnerability.

The project received contributions from as many as 159 developers, but releases are still managed by project leaders Nick Uraltsev and Matt Zabriskie.

Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.

Start freeBook a live demo