Package Vulnerability: axios

[WilliamHolmes]

A vulnerable version of the axios package is being included by retry-axios

https://www.cve.org/CVERecord?id=CVE-2023-45857

├─┬ @ibm-cloud/cloudant@0.7.2
│ └─┬ ibm-cloud-sdk-core@4.1.4
│   ├── axios@1.6.0
│   └─┬ retry-axios@2.6.0
│     └── axios@0.25.0

[padamstx]

@WilliamHolmes I've started to investigate this and what's odd is that when I run npm ci on a node project that defines the node core library as a dependency, I see this:

[padams@woodchuck 10:34:59 ~/work/sdks/platform/node]
$ npm ls --all | grep axios
│ ├─┬ axios@1.6.0
│ ├─┬ retry-axios@2.6.0
│ │ └── axios@1.6.0 deduped

So in my case, only axios version 1.6.0 (the latest) is referenced.

Is there anything special about the repo you are building that causes this old version of axios to be pulled in? Could you post a link to the project you're building so I can perhaps do an experiment? Thanks

[padamstx]

I cloned the cloudant node sdk, then ran npm ci to pull down all its dependencies, and then I ran npm ls:

[padams@woodchuck 10:50:51 ~/work/sdks/cloudant/node]
$ npm ls --all | grep axios
│ ├─┬ axios@1.6.0
│ ├─┬ retry-axios@2.6.0
│ │ └── axios@1.6.0 deduped

so it looks like the cloudant node sdk also references only the latest version of axios.

Any idea where this old version of axios is being referenced from? :)

[WilliamHolmes]

@padamstx its an internal private repo.

will double check this now ...

Its a strange one I've forced cleared the npm cache.

I have a custom library @name/db

@name/db@7.0.6
├─┬ @ibm-cloud/cloudant@0.7.2
│ └─┬ ibm-cloud-sdk-core@4.1.4
│   ├── axios@1.6.0
│   └─┬ retry-axios@2.6.0
│     └── axios@1.6.1 deduped
└── axios@1.6.1

but when i consume it .

├─┬ @name/db@7.0.6
│ ├─┬ @ibm-cloud/cloudant@0.7.2
│ │ └─┬ ibm-cloud-sdk-core@4.1.4
│ │   ├── axios@1.6.0
│ │   └─┬ retry-axios@2.6.0
│ │     └── axios@0.25.0 deduped     <<<<<
│ └── axios@1.6.1

So im 99% sure at this stage its a local issue, just can't figure out what.

[phaumer]

I am also see this in the latest version that retry-axios refers back to older vulnerable (CVE-2023-26159) versions.

[padamstx]

I just pulled the latest changes in the main branch and then ran npm ci and npm ls yields:

ibm-cloud-sdk-core@4.2.2 
...
├─┬ axios@1.6.4
│ ├── follow-redirects@1.15.4
│ ├─┬ form-data@4.0.0
│ │ ├── asynckit@0.4.0 deduped
│ │ ├── combined-stream@1.0.8 deduped
│ │ └── mime-types@2.1.35 deduped
│ └── proxy-from-env@1.1.0
...
├─┬ retry-axios@2.6.0
│ └── axios@1.6.4 deduped
...

These were the only occurrences of "axios".

[TannerS]

I am also having this issue. We have security issues with the BSS team for a vuln for axios under 1.6.3. So is there a plan for this?

[phaumer]

In our case it was caused by npm in a monorepo with workspaces. npm was managing another copy of axios in a sub-package of ours, which seems like an npm bug. I could only fix it by manually fixing the lock file. So using dependencies that depend on peers with a * version reference can lead to these problems. If retry-axios is useful it would be a better idea to contribute it to the axios project itself to avoid these package management issues.

[padamstx]

I've gone through the steps to bump the node core version in two different node sdk projects to the latest version (v4.2.2):

• https://github.ibm.com/CloudEngineering/node-sdk-template/pull/97
• fix(deps): bump node core to 4.2.2 platform-services-node-sdk#237

In both situations, axios 1.6.4 is the only version that shows when running npm ls --all, and no CVEs are reported by npm.

[padamstx]

Via slack, I learned from @TannerS that he was seeing his issue with the appconfiguration-node-sdk project and it looks like that one has already been updated to use the latest node core (4.2.2) to avoid these axios-related CVEs

[padamstx]

It seems this issue is now resolved so I'll close.