CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 1CVE-2025-27152 – Possible SSRF and Credential Leakage via Absolute URL in axios Requests
https://notcve.org/view.php?id=CVE-2025-27152
07 Mar 2025 — axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2. • https://github.com/andreglock/axios-ssrf • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-57965
https://notcve.org/view.php?id=CVE-2024-57965
29 Jan 2025 — In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute('href',href) call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and does not fix a vulnerability. • https://github.com/axios/axios/commit/0a8d6e19da5b9899a2abafaaa06a75ee548597db • CWE-346: Origin Validation Error •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-39338 – axios: axios: Server-Side Request Forgery
https://notcve.org/view.php?id=CVE-2024-39338
09 Aug 2024 — axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs. A vulnerability was found in the Axios HTTP Client. It is vulnerable to a server-side request forgery attack (SSRF) caused by unexpected behavior where requests for path-relative URLs get processed as protocol-relative URLs. This flaw allows an attacker to perform arbitrary requests from the server, potentially accessing internal systems or exfiltrating sensitive data. Red Hat OpenS... • https://github.com/axios/axios/releases • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 4CVE-2023-45857 – axios: exposure of confidential data stored in cookies
https://notcve.org/view.php?id=CVE-2023-45857
08 Nov 2023 — An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information. Un problema descubierto en Axios 1.5.1 revela inadvertidamente el XSRF-TOKEN confidencial almacenado en las cookies al incluirlo en el encabezado HTTP X-XSRF-TOKEN para cada solicitud realizada a cualquier host, lo que permite a los atacantes ver información sensible. A flaw ... • https://github.com/valentin-panov/CVE-2023-45857 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.8EPSS: 8%CPEs: 5EXPL: 2CVE-2021-3749 – Inefficient Regular Expression Complexity in axios/axios
https://notcve.org/view.php?id=CVE-2021-3749
31 Aug 2021 — axios is vulnerable to Inefficient Regular Expression Complexity axios es vulnerable a una Complejidad de Expresión Regular Ineficiente A Regular Expression Denial of Service (ReDoS) vulnerability was found in the nodejs axios. This flaw allows an attacker to provide crafted input to the trim function, which might cause high resources consumption and as a consequence lead to denial of service. The highest threat from this vulnerability is system availability. Red Hat Advanced Cluster Management for Kubernet... • https://github.com/T-Guerrero/axios-redos • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 1CVE-2020-28168
https://notcve.org/view.php?id=CVE-2020-28168
06 Nov 2020 — Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address. El paquete Axios NPM versión 0.21.0, contiene una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) donde un atacante es capaz de omitir un proxy al proporcionar una URL que responde con un redireccionamiento hacia un host restringido o una dirección IP • https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 18%CPEs: 1EXPL: 4CVE-2019-10742
https://notcve.org/view.php?id=CVE-2019-10742
07 May 2019 — Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded. Axios versión 0.18.0 y anteriores, permite a los atacantes causar una denegación de servicio (cierre inesperado de la aplicación) al continuar aceptando contenido después de que se exceda maxContentLength. • https://github.com/ossf-cve-benchmark/CVE-2019-10742 • CWE-755: Improper Handling of Exceptional Conditions •