Homepage
About Snyk

Cross-site Request Forgery (CSRF) Affecting axios package, versions >=0.8.1 <0.28.0 >=1.0.0 <1.6.0

0.0
high

Snyk CVSS

    Attack Complexity Low
    User Interaction Required
    Confidentiality High

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.06% (22nd percentile)
Expand this section
NVD
6.5 medium
Expand this section
Red Hat
6.5 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-AXIOS-6032459
  • published 25 Oct 2023
  • disclosed 23 Oct 2023
  • credit Valentin Panov
Report a new vulnerability Found a mistake?

Introduced: 23 Oct 2023

CVE-2023-45857 Open this link in a new tab
CWE-352 Open this link in a new tab

How to fix?

Upgrade axios to version 0.28.0, 1.6.0 or higher.

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to inserting the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in all requests to any server when the XSRF-TOKEN0 cookie is available, and the withCredentials setting is turned on. If a malicious user manages to obtain this value, it can potentially lead to the XSRF defence mechanism bypass.

Workaround

Users should change the default XSRF-TOKEN cookie name in the Axios configuration and manually include the corresponding header only in the specific places where it's necessary.