-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Snyk vulnerability [SNYK-JS-AXIOS-6032459] #20942
Comments
Appreciate any help with this one. We're treating it as low prio since it doesn't affect us |
Upgrading Not sure if Renovate should have re-raised a PR - #21543 (likely will when |
yarn why axios
├─ @backstage/plugin-opencost@workspace:plugins/opencost
│ └─ axios@npm:1.6.5 (via npm:^1.4.0)
│
├─ @openapitools/openapi-generator-cli@npm:2.9.0
│ └─ axios@npm:1.6.5 (via npm:1.6.5)
│
├─ @swagger-api/apidom-reference@npm:0.92.0
│ └─ axios@npm:1.6.5 (via npm:^1.4.0)
│
├─ @trendyol-js/openstack-swift-sdk@npm:0.0.7
│ └─ axios@npm:1.6.5 (via npm:^1.0.0)
│
├─ analytics-node@npm:6.2.0
│ └─ axios@npm:0.27.2 (via npm:^0.27.2)
│
├─ circleci-api@npm:4.1.4
│ └─ axios@npm:0.21.4 (via npm:^0.21.1)
│
└─ passport-auth0@npm:1.4.4
└─ axios@npm:1.6.5 (via npm:^1.6.0) |
https://github.com/worldturtlemedia/circleci-api seems pretty much unmaintained 😢 Last release ~3 years ago |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Affecting Packages/Plugins
Overview
axios is a promise-based HTTP client for the browser and Node.js.
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to inserting the
X-XSRF-TOKEN
header using the secretXSRF-TOKEN
cookie value in all requests to any server when theXSRF-TOKEN
0 cookie is available, and thewithCredentials
setting is turned on. If a malicious user manages to obtain this value, it can potentially lead to the XSRF defence mechanism bypass.Workaround
Users should change the default
XSRF-TOKEN
cookie name in the Axios configuration and manually include the corresponding header only in the specific places where it's necessary.Remediation
Upgrade
axios
to version 1.6.0 or higher.References
The text was updated successfully, but these errors were encountered: