CVE-2020-28168: Axios NPM SSRF
Virsec Security Research Lab Vulnerability Report
The Virsec Security Research Lab, helmed by Virsec CTO, Satya Gupta, provides timely, relevant analysis about prevalent security vulnerabilities.
1.1 Vulnerability Summary
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker can bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Watch the video to learn more about this and other important vulnerabilities.
1.2 CVSS Score
The CVSS Base Score is 9.8 (Critical)
1.3 Affected Version
Axios Version [0.21.0]Node.js Version [v12.18.2]
1.4 Vulnerability Attribution
This vulnerability is reported by the Github Project.
1.5 Risk Impact
This NPM make XMLHttpRequests from the browser; makes http requests from node.js; supports the Promise API; intercept request and response; transform request and response data; cancels requests; automatically transforms JSON data; client side support for protecting against XSRF
In cases where Axios is used by servers to perform http requests to user-supplied URLs, a proxy is commonly used to protect internal networks from unauthorized access and SSRF. This bug enables an attacker to bypass the proxy by providing a URL that responds with a redirect to a restricted host/IP. Public exploit for this vulnerability exists here.
1.6 Virsec Security Platform (VSP) Support:
The Virsec Security Platform (VSP)-Web can detect SSRF attacks and prevent this attack from being exploited.
1.7 Reference Links:
Download the full vulnerability report to learn more about this and other important vulnerabilities.
The post CVE-2020-28168: Axios NPM SSRF appeared first on Virsec Systems.
*** This is a Security Bloggers Network syndicated blog from Blog – Virsec Systems authored by Satya Gupta. Read the original post at: https://virsec.com/cve-2020-28168-axios-npm-ssrf/
