We use cookies to ensure you get the best experience on our website.Read moreRead moreGot it

close
  • Products
    • Products
      • Snyk Code (SAST)
        Secure your code as it’s written
      • Snyk Open Source (SCA)
        Avoid vulnerable dependencies
      • Snyk Container
        Keep your base images secure
      • Snyk Infrastructure as Code
        Develop secure cloud infrastructure
      • Snyk Cloud
        Keep your cloud environment secure
    • Solutions
      • Application security
        Build secure, stay secure
      • Software supply chain security
        Mitigate supply chain risk
      • Cloud security
        Build and operate securely
    • Platform
      • What is Snyk?
        Developer-first security in action
      • Developer security platform
        Modern security in a single platform
      • Security intelligence
        Comprehensive vulnerability data
      • License compliance management
        Manage open source usage
      • Snyk Learn
        Self-service security education
  • Resources
    • Using Snyk
      • Documentation
      • Vulnerability intelligence
      • Product training
      • Support & services
      • Support portal & FAQ’s
      • User hub
    • learn & connect
      • Blog
      • Community
      • Events & webinars
      • DevSecOps hub
      • Developer & security resources
    • Listen to the Cloud Security Podcast, powered by Snyk
  • Company
    • About Snyk
    • Customers
    • Partners
    • Newsroom
    • Snyk Impact
    • Contact us
    • Jobs at Snyk We are hiring
  • Pricing
Log inBook a demoSign up
All articles
  • Application Security
  • Cloud Native Security
  • DevSecOps
  • Engineering
  • Partners
  • Snyk Team
  • Show more
    • Vulnerabilities
    • Product
    • Ecosystems
Vulnerabilities

A Denial of Service vulnerability discovered in the Axios JavaScript package – affecting all versions of the popular HTTP client

Liran TalMay 6, 2019

axios is a popular promise-based modern JavaScript HTTP client which is commonly used for browser and Node.js server projects, receiving more than 3 million weekly downloads from npm.

Snyk logged a Denial of Service medium severity (5.3 CVSS) security vulnerability affecting axios, which was discussed and shared as early as 2017 by developer Jeremy Apthorp in the project’s GitHub issue queue.

Affected versions of axios are vulnerable to Denial of Service (DoS) because content continues to be processed from requests even after maxContentLength is exceeded, causing increased I/O and CPU usage.

About the vulnerability

Anthorp shared a code snippet in the GitHub issue to show an example use-case of the axios API limits the size of the received HTTP response:

require('axios').get(
  'https://upload.wikimedia.org/wikipedia/commons/f/fe/A_Different_Slant_on_Carina.jpg',
  { maxContentLength: 2000 }
)
  .then(d => console.log('done'))
  .catch(e => console.log(e.toString()))

However, regardless of the content length limit, the HTTP connection stays open until the complete file size data has transferred, therefore allowing anyone who controls the remote domain, or eavesdropping on an insecure wire, to provide a large file size and block the request from completing for a significant amount of time.

No official fix for this vulnerability has been published at the time of writing this article, but community involvement in the form of a Pull Request to fix the issue was opened in the project’s GitHub repository and is waiting to be merged and released.

Snyk users are protected by applying a security patch for versions >= 0.17.0 of axios that will mitigate the denial of service vulnerability.
Connect your repository and apply the patch

UPDATE 31/05/2019: A fix has been released and available in axios versions >= 0.19.0


Snyk identified the vulnerability in over 215,000 projects scanned and immediately alerted our relevant users. Those of our users who have been using our runtime security monitoring solution were not only made aware of the vulnerability but were also informed of the urgency in which it needs to be addressed, due to the fact that in most cases it is reachable within the application’s runtime code flow, and therefore can be exploited in high probability.

Sign up for free

In the case of axios, the runtime security monitoring integration with their application helped increase their ability to identify live production deployment security issues, as we can see in the following picture:

runtime security monitoring found security vulnerabilities in npm package axios

Does it affect me and what should I do?

If you are requesting resources from untrusted sources, or via insecure mediums, then you are potentially vulnerable to Denial of Service where malicious users can control the remote resource.

When using axios in a Node.js server this can be disastrous due to the single threaded nature of the runtime. A spike in resources such as I/O and CPU negatively affect all users connected to that server. In browser environments, the Denial of Service negatively affects end-users with varying severity, depending on how the resource fetching with axios is used in the application.

What should I do?

  • If you’re using Snyk you can automatically protect yourself by applying the aforementioned security patch
  • Apply the following mitigation in each of your calls to axios to defensively code against this vulnerability: axios({ url: ..., maxContentLength: 2000, }).catch((error) => { error.request.res.destroy(); });This is as suggested in https://github.com/axios/axios/issues/1098#issuecomment-334874694
  • Apply the suggested Pull Request fix manually https://github.com/axios/axios/pull/1485

A note about open source project health

Open source maintenance can be more and more challenging as a project grows in popularity. Issues grow in numbers, requiring evermore attention; documentation work to be created and kept up-to-date increases; along with bug fixes and stable releases, just to name some tasks of the work that is expected from project maintainers, and is often times delivered completely voluntarily.

Choosing your open source dependencies should be done with due diligence in order to minimize disruptions for your project as much as possible. Following are several aspects of the axios project dependency health information that we can learn from Snyk’s insights:

  • axios first published its 0.1.0 version 5 years ago, on 29 Aug, 2014.
  • The latest stable version 0.18.0 was published 9 month ago, on 19 Feb, 2018.
  • All released versions are affected by the aforementioned Denial of Service vulnerability.
npm axios module dependency health and security vulnerabilities

The project received contributions from as many as 159 developers but releases are still managed by project leaders Nick Uraltsev and Matt Zabriskie.

Discuss this blog on Discord

Join the DevSecOps Community on Discord to discuss this topic and more with other security-focused practitioners.

GO TO DISCORD
Footer Wave Top
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment
Develop Fast.
Stay Secure.
Snyk|Open Source Security Platform
Sign up for freeBook a demo

Product

  • Developers & DevOps
  • Vulnerability database
  • API status
  • Pricing
  • IDE plugins
  • What is Snyk?

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Code snippets
  • Japanese site
  • Audit services
  • Web stories

Company

  • About
  • Snyk Impact
  • Customers
  • Jobs at Snyk
  • Snyk for government
  • Legal terms
  • Privacy
  • Press kit
  • Events
  • Security and trust
  • Do not sell my personal information

Connect

  • Book a demo
  • Contact us
  • Support
  • Report a new vuln

Security

  • JavaScript Security
  • Container Security
  • Kubernetes Security
  • Application Security
  • Open Source Security
  • Cloud Security
  • Secure SDLC
  • Cloud Native Security
  • Secure coding
  • Python Code Examples
  • JavaScript Code Examples
  • Code Checker
  • Python Code Checker
  • JavaScript Code Checker
Snyk|Open Source Security Platform

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Code snippets
  • Japanese site
  • Audit services
  • Web stories

Track our development

© 2023 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, RG7 1NT.
Footer Wave Bottom