CVE-2024-39338 Scanner

Axios is a widely used promise-based HTTP client for browsers and Node.js applications. It provides an intuitive API for handling HTTP requests and responses, making it popular among developers working on front-end and back-end projects. The library is commonly used in modern JavaScript applications to interact with RESTful APIs efficiently. Due to its ease of integration and feature-rich capabilities, it is widely adopted in enterprise and open-source projects. Axios simplifies handling asynchronous requests and includes built-in support for request cancellation and automatic JSON data transformation. However, due to its widespread use, security vulnerabilities like SSRF can have significant impacts across various applications.

Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to manipulate a server into making unauthorized requests to internal or external resources. In the case of Axios, this vulnerability is caused by unexpected behavior where requests for path-relative URLs are processed as protocol-relative URLs. This flaw exists in versions 1.3.2 to 1.7.3 and allows attackers to control the request destination by crafting specially formatted URLs. The vulnerability enables attackers to access restricted network locations, exfiltrate sensitive data, or launch secondary attacks. Exploiting this issue does not require authentication or user interaction, making it a critical security risk. The issue was addressed in Axios version 1.7.4.

This vulnerability occurs due to how Axios handles user-controlled input when constructing HTTP requests. Specifically, an attacker can manipulate the base URL to trick the application into sending requests to unintended destinations. A proof-of-concept (PoC) exploit demonstrates how changing a user ID parameter from an expected relative path to a protocol-relative URL allows unintended HTTP requests. In this scenario, a request that should normally be made to `https://userapi.example.com/12345` can be altered to `//google.com`, resulting in an unauthorized request to `http://www.google.com/`. This vulnerability exposes applications to potential data leaks and unauthorized access to internal resources. The security flaw was classified under CWE-918 (Server-Side Request Forgery).

If exploited, this vulnerability could allow an attacker to perform arbitrary requests on behalf of the vulnerable server. This may lead to unauthorized access to sensitive internal systems, exposing confidential data and increasing the risk of lateral movement within a network. Attackers could leverage this flaw to interact with cloud metadata services, retrieve authentication tokens, or exploit other backend vulnerabilities. Organizations using vulnerable versions of Axios should assess their risk exposure, as this vulnerability can also facilitate reconnaissance for more advanced attacks. Since SSRF attacks can be used to bypass firewalls and other network security controls, immediate remediation is necessary. Updating to Axios version 1.7.4 or implementing strict input validation is recommended.

REFERENCES

• https://github.com/axios/axios/issues/6463
• https://github.com/axios/axios/releases
• https://github.com/tdonaworth/axios-ssrf
• https://nvd.nist.gov/vuln/detail/CVE-2024-39338
• https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html