A Denial of Service vulnerability discovered in the Axios JavaScript package - affecting all versions of the popular HTTP client

axios is a popular promise-based modern JavaScript HTTP client which is commonly used for browser and Node.js server projects, receiving more than 3 million weekly downloads from npm.

Snyk logged a Denial of Service medium severity (5.3 CVSS) security vulnerability affecting axios, which was discussed and shared as early as 2017 by developer Jeremy Apthorp in the project’s GitHub issue queue.

Affected versions of axios are vulnerable to Denial of Service (DoS) because content continues to be processed from requests even after maxContentLength is exceeded, causing increased I/O and CPU usage.

About the vulnerability

Anthorp shared a code snippet in the GitHub issue to show an example use-case of the axios API limits the size of the received HTTP response:

require('axios').get(
  'https://upload.wikimedia.org/wikipedia/commons/f/fe/A_Different_Slant_on_Carina.jpg',
  { maxContentLength: 2000 }
)
  .then(d => console.log('done'))
  .catch(e => console.log(e.toString()))

However, regardless of the content length limit, the HTTP connection stays open until the complete file size data has transferred, therefore allowing anyone who controls the remote domain, or eavesdropping on an insecure wire, to provide a large file size and block the request from completing for a significant amount of time.

No official fix for this vulnerability has been published at the time of writing this article, but community involvement in the form of a Pull Request to fix the issue was opened in the project’s GitHub repository and is waiting to be merged and released.

Snyk users are protected by applying a security patch for versions >= 0.17.0 of axios that will mitigate the denial of service vulnerability.

Connect your repository and apply the patch.

UPDATE 31/05/2019: A fix has been released and available in axios versions >= 0.19.0

Snyk identified the vulnerability in over 215,000 projects scanned and immediately alerted our relevant users. Those of our users who have been using our runtime security monitoring solution were not only made aware of the vulnerability but were also informed of the urgency in which it needs to be addressed, due to the fact that in most cases it is reachable within the application’s runtime code flow, and therefore can be exploited in high probability.

In the case of axios, the runtime security monitoring integration with their application helped increase their ability to identify live production deployment security issues.

Does it affect me and what should I do?

If you are requesting resources from untrusted sources, or via insecure mediums, then you are potentially vulnerable to Denial of Service where malicious users can control the remote resource.

When using axios in a Node.js server this can be disastrous due to the single threaded nature of the runtime. A spike in resources such as I/O and CPU negatively affect all users connected to that server. In browser environments, the Denial of Service negatively affects end-users with varying severity, depending on how the resource fetching with axios is used in the application.

What should I do?

• If you’re using Snyk you can automatically protect yourself by applying the aforementioned security patch

• Apply the following mitigation in each of your calls to axios to defensively code against this vulnerability: axios({ url: ..., maxContentLength: 2000, }).catch((error) => { error.request.res.destroy(); });This is as suggested in https://github.com/axios/axios/issues/1098#issuecomment-334874694

• Apply the suggested Pull Request fix manually https://github.com/axios/axios/pull/1485

A note about open source project health

Open source maintenance can be more and more challenging as a project grows in popularity. Issues grow in numbers, requiring evermore attention; documentation work to be created and kept up-to-date increases; along with bug fixes and stable releases, just to name some tasks of the work that is expected from project maintainers, and is often times delivered completely voluntarily.

Choosing your open source dependencies should be done with due diligence in order to minimize disruptions for your project as much as possible. Following are several aspects of the axios project dependency health information that we can learn from Snyk’s insights:

• axios first published its 0.1.0 version 5 years ago, on 29 Aug, 2014.

• The latest stable version 0.18.0 was published 9 month ago, on 19 Feb, 2018.

• All released versions are affected by the aforementioned Denial of Service vulnerability.

The project received contributions from as many as 159 developers, but releases are still managed by project leaders Nick Uraltsev and Matt Zabriskie.