Description
Describe the bug
Hi team, @jasonsaayman and @DigitalBrainJS,
The library inserts the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in all requests to any server when the XSRF-TOKEN cookie is available, and the withCredentials setting is turned on. If a malicious user manages to obtain this value, it can potentially lead to the XSRF defence mechanism bypass.
It's crucial to ensure the protection of CSRF tokens. These tokens should be treated as confidential information and managed securely at all times.
You may check it here:
https://portswigger.net/web-security/csrf/preventing
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
Type of vulnerability: CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
Severity: High (7.1) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
To Reproduce
- Start a new project using the latest version of Next.js by running the following command:
npx create-next-app@latest. Then, install the latest version of the Axios library with this command:npm i axios - Create an Axios instance with the following configuration, which enables cross-site request forgery (CSRF) protection by including credentials in requests:
const instance = axios.create({
withCredentials: true,
});
- Install the XSRF-TOKEN cookie with specific attributes. Set the cookie value "whatever" and configuring it for the "localhost" domain with strict same-site policy:
const cookies = new Cookies();
cookies.set("XSRF-TOKEN", "whatever", {
domain: "localhost",
sameSite: "strict",
});
- Initiate a cross-domain request using your Axios instance. In this example, we're making a GET request to "https://www.com/," and we handle the response and potential errors:
instance
.get("https://www.com")
.then((res) => console.log(res.data))
.catch((err) => console.error(err.message));
- Run your project, and open the browser's network tab for debugging and monitoring network activity.
- Verify that the cross-domain request to "https://www.com/" includes the "X-XSRF-TOKEN" header with the value "whatever."
- Confirm that the "XSRF-TOKEN" cookie's value is disclosed to any 3rd-party host when making requests using the Axios instance. This is essential for security as you don't want to leak CSRF tokens to unauthorized entities.
Code snippet
lib/adapters/xhr.js:191
const xsrfValue = (config.withCredentials || isURLSameOrigin(fullPath))Expected behavior
ER: the XSRF-TOKEN is not disclosed to a 3rd party host
AR: the XSRF-TOKEN is disclosed in every request made with the Axios instance
Axios Version
[v0.8.1] - [v1.5.1]
Adapter Version
No response
Browser
No response
Browser Version
No response
Node.js Version
No response
OS
No response
Additional Library Versions
No response
Additional context/Screenshots
The current effective solution is to change the default XSRF-TOKEN cookie name in the Axios configuration and manually include the corresponding header only in the specific places where it's necessary.
https://nvd.nist.gov/vuln/detail/CVE-2023-45857
https://prnt.sc/xDcRmFozxSHJ