Vulnerabilities

1 via 1 paths

Dependencies

56

Source

GitHub

Commit

dacb8350

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

high severity

Cross-site Request Forgery (CSRF)

  • Vulnerable module: axios
  • Introduced through: axios@0.21.3

Detailed paths

  • Introduced through: vscode-vuln-cost@snyk/vulncost#dacb8350f7130915bd8ef0e05c3156d034e6e6a2 axios@0.21.3
    Remediation: Upgrade to axios@1.6.0.

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to inserting the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in all requests to any server when the XSRF-TOKEN0 cookie is available, and the withCredentials setting is turned on. If a malicious user manages to obtain this value, it can potentially lead to the XSRF defence mechanism bypass.

Workaround

Users should change the default XSRF-TOKEN cookie name in the Axios configuration and manually include the corresponding header only in the specific places where it's necessary.

Remediation

Upgrade axios to version 1.6.0 or higher.

References