CVE-2023-45857 on the axios module used in the package
luiof opened this issue ยท 6 comments
We are seeing a CVE on the module.
The CVE is: CVE-2023-45857
Vulnerability scan summary for package-lock.json
# of Packages scanned: 561
# of Vulnerabilities found: 1
Vulnerability found: Cross-site Request Forgery (CSRF) - SNYK-JS-AXIOS-6032459
URL: https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459
Package: axios
Version: 1.4.0
Introduced By: ibm-cloud-sdk-core:4.1.2 --> axios:1.4.0
Severity: high
Description: axios is a promise-based HTTP client for the browser and Node.js.
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to inserting the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in all requests to any server when the XSRF-TOKEN0 cookie is available, and the withCredentials setting is turned on. If a malicious user manages to obtain this value, it can potentially lead to the XSRF defence mechanism bypass.
Updated at: 2023-10-25T07:24:40.920085Z
Codes: [CVE-2023-45857]
@luiof what type of scanner found that vulnerability? I'm curious because our CRA (Code Risk Analysis) scanning job did not find this vulnerability.
The issue in axios for this seems to suggest that it requires withCredentials: true to be used. AFAIK that hasn't been used here since v4 release with the axios 1.x upgrade. Ofc it would be prudent to upgrade axios as soon as a fixed version is available anyway.
I confirmed that there are no occurrences of withCredentials within the node core source code :), so I think we can assume that the node core is not vulnerable to this. But, I agree that we should upgrade to the fixed version of axios when it's available.
cc: @dpopp07
Axios 1.6.0 is available now, I made #255 for the bump.
๐ This issue has been resolved in version 4.1.4 ๐
The release is available on:
npm package (@latest dist-tag)- GitHub release
Your semantic-release bot ๐ฆ๐