-
-
Notifications
You must be signed in to change notification settings - Fork 10.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible bug: Vulnerability SSRF #3407
Comments
Thanks for the report. I'll start looking into the remediation. |
FYI this has become https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28168 |
@jasonsaayman, do you have an ETA for v0.21.1 or a patch with respect to this CVE? |
Bumping here too. This issue seems to no longer be IP for 0.21.1 release |
We have had to disable the package audit check on our build in order to make it pass as a result of this. It would be highly desirable to have an official maintenance release with this in as soon as possible. I must say I'm surprised this hasn't been released sooner, since it's the subject of a CVE. |
+1 to what tomqwpl wrote, this became a blocker in our case, as audit-js / snyk is marking this a vulnerable package, thus pipelines glow red. It would be so cool to have release scheduled, especially as from what I see here https://github.com/axios/axios/projects/7 board for v0.21.1 is cleared. |
+1 here.. our pipelines red, waiting for this to be out |
It currently breaks the pipelines of our customers... |
@emilyemorehouse As being the one who generally seems to release axios, can we consider a new release with this fix in so that the vulnerability can be addressed? |
Hi All, I am waiting for an ETA on this release, I will update as soon as I know when it will be or is out. If I could release this I would as I know its an issue for many people and even for me personally on my projects where CI/CD fails cause of it. Thanks |
Hi All, v0.21.1 has been released and this includes the fix for the vulnerability. Thanks |
Describe the bug
In my current project we are using Snyk to catch any possible issues and vulnerabilities.
Snyk reports that since version 0.19.0 there is SSRF vulnerability that has no been fixed yet.
This is the message:
Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). An attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Could you please verify?
Thanks in advance.
To Reproduce
Any pen tests or just using Snyk to scan any app that uses axios.
Expected behavior
No vulnerabilities alerts.
Environment
Additional context/Screenshots
Add any other context about the problem here. If applicable, add screenshots to help explain.
The text was updated successfully, but these errors were encountered: