New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2023-45857 (CWE-359) XSRF-TOKEN value is disclosed to an unauthorised actor #6006
Comments
@valentin-panov does this vuln only affect 1.5.1 and no other versions? Dependency track is showing me this vuln for 1.1.3 (I guess it is associating this vuln to all versions of axios). |
I agree with you, and the problem may have affected all versions released since then. |
Cannot reproduce on the fresh machine and fresh project. Close the issue, researching the reproducible env. |
I reproduced the defect in a new project with the latest package versions and updated the description. |
@valentin-panov what are ER and AR? |
Expected result |
Does this only apply to scenarios where the XSRF-TOKEN cookie is created in the front-end as shown above? In my case the XSRF-TOKEN cookie is created and managed by the server and I can't reproduce. Using version 1.5.1. |
I don't think the cookie's origin is a critical factor. In my opinion, what really matters is whether the cookie is accessible to client-side JavaScript and if the 'withCredentials' attribute is set to 'true.' |
By the way, the current effective solution is to change the default XSRF-TOKEN cookie name in the Axios configuration and manually include the corresponding header only in the specific places where it's necessary |
The description appears to be identical to issue #6022. However, the author of the issue has not supplied any specific details. I'm assuming that this issue may be the same. |
any update for this, snyk also report same issue https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459 |
Regrettably, no, I haven't received a response from the team through this platform or via email. |
@herarya does the above correct the Snyk finding? |
We are also facing this issue reported by SNYK. Any updates would be much appreciated! |
Same here from Snyk. Thanks for looking into this! |
yes correct, now blocked our ci/cd. |
Is the Axios CSRF vulnerability a false positive for users who do not have the |
The security support of NodeJS 10 ended 2.5 years ago? (30 Apr 2021, see https://endoflife.date/nodejs) |
0.x -> 1.0 has breaking changes preventing updating if you rely on those features: #5365 Don't know if they plan to fix that or if there is an alternative solution to that problem. |
Hi guys! If you have any useful insights that can help us solve this problem without changing the current versioning approach, it would be greatly appreciated. |
Basically your are asking for the Axios maintainers to compensate the lazyness/negligence/incompentency (choose the one you prefer) of your customers for free. Moving forward, if you can't get your customers to upgrade, click the Fork button and backport the fix yourself. After all, it is to have this freedom that we use open source? |
Ok, I'm a bit shocked that this bug, which have several open PRs, still isn't fixed. |
@marcusdelang @304NotModified and others who were blocked on upgrading to v1.x.x by this bug, I have good news – the fix was just merged and released as v1.6.6! |
I am looking into this issue and I want to know if this is only an issue in scenarios where the third party application/URL is connected to the application using this token? |
Describe the bug
Hi team, @jasonsaayman and @DigitalBrainJS,
The library inserts the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in all requests to any server when the XSRF-TOKEN cookie is available, and the withCredentials setting is turned on. If a malicious user manages to obtain this value, it can potentially lead to the XSRF defence mechanism bypass.
It's crucial to ensure the protection of CSRF tokens. These tokens should be treated as confidential information and managed securely at all times.
You may check it here:
https://portswigger.net/web-security/csrf/preventing
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
Type of vulnerability: CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
Severity: High (7.1) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
To Reproduce
npx create-next-app@latest
. Then, install the latest version of the Axios library with this command:npm i axios
Code snippet
Expected behavior
ER: the XSRF-TOKEN is not disclosed to a 3rd party host
AR: the XSRF-TOKEN is disclosed in every request made with the Axios instance
Axios Version
[v0.8.1] - [v1.5.1]
Adapter Version
No response
Browser
No response
Browser Version
No response
Node.js Version
No response
OS
No response
Additional Library Versions
No response
Additional context/Screenshots
The current effective solution is to change the default XSRF-TOKEN cookie name in the Axios configuration and manually include the corresponding header only in the specific places where it's necessary.
https://nvd.nist.gov/vuln/detail/CVE-2023-45857
The text was updated successfully, but these errors were encountered: