[Pkg-javascript-devel] Bug#1102223: Bug#1102223: node-axios: CVE-2025-27152
Yadd
yadd at debian.org
Sun Apr 6 16:00:59 BST 2025
On 4/6/25 16:32, Salvatore Bonaccorso wrote:
> Source: node-axios
> Version: 1.7.9+dfsg-1
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
>
> Hi,
>
> The following vulnerability was published for node-axios.
>
> CVE-2025-27152[0]:
> | axios is a promise based HTTP client for the browser and node.js.
> | The issue occurs when passing absolute URLs rather than protocol-
> | relative URLs to axios. Even if baseURL is set, axios sends the
> | request to the specified absolute URL, potentially causing SSRF and
> | credential leakage. This issue impacts both server-side and client-
> | side usage of axios. This issue is fixed in 1.8.2.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2025-27152
> https://www.cve.org/CVERecord?id=CVE-2025-27152
> [1] https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
Looks contested:
https://github.com/axios/axios/issues/6463#issuecomment-2285349645
More information about the Pkg-javascript-devel
mailing list