New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSRF Vulnerability Arising from Axios URL Parsing #6295
Comments
Here is the discussion in twitter/x: https://x.com/irsdl/status/1768057917826023568 It seems that all these are resolved as
|
You can fix this security vulnerability by modifying the code a bit: const express = require('express');
const axios = require('axios');
const app = express();
const port = 80;
app.get('/', async (req, res) => {
const whitelist = ['voorivex.team'];
try {
const { url } = req.query;
const parsedUrl = new URL(url);
if (whitelist.includes(parsedUrl.hostname)) {
const response = await axios.get(parsedUrl.href);
res.json(response.data);
} else {
res.status(403).send('Forbidden: Hostname not in whitelist');
}
} catch (error) {
if (error.request) {
res.status(500).send('Internal Server Error');
} else {
res.status(400).send('Bad Request: Invalid URL');
}
}
});
app.get('/admin', async (req, res) => {
const clientIP = req.ip;
if (clientIP === '::1' || clientIP === '127.0.0.1' || clientIP === '::ffff:127.0.0.1') {
res.send("Welcome to admin panel!")
} else {
res.status(403).send('Forbidden');
}
})
app.listen(port, () => {
console.log(`Server is running on http://localhost:${port}`);
}); Changing |
I have done some testing, and I have come to a conclusion. This problem is already fixed in the This issue should be marked as closed. |
Describe the bug
Hello everyone! I hope all is going smoothly for you. Despite numerous attempts to reach out regarding a security concern via this discussion thread, unfortunately, there has been no response. As a result, I've decided to create the issue and talk about it. There is a situation that axios URL parsing could let to SSRF vulnerability
To Reproduce
To replicate the vulnerability, simply execute the provided code snippet on your local machine and visit this link:
http://localhost/?url=http:voorivex.team/../admin
.What's occurring here? When this code snippet is executed, the JavaScript native function
URL
parses the URL, returningvoorivex.team
as the hostname which is inside the whitelist. However, in Axios, this is interpreted as a path, causing Axios to utilizelocalhost
as the host for paths. Consequently, this opens up the possibility to explore local endpoints.Code snippet
Expected behavior
No response
Axios Version
1.6.7
Adapter Version
No response
Browser
No response
Browser Version
No response
Node.js Version
No response
OS
No response
Additional Library Versions
Additional context/Screenshots
No response
The text was updated successfully, but these errors were encountered: