-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| axios | npm | >= 1.0.0, < 1.6.0 | 1.6.0 |
| axios | npm | >= 0.8.1, < 0.28.0 | 0.28.0 |
JavaScriptJavaScriptMiggo AIRoot Cause AnalysisThe vulnerability lies in how Axios handled XSRF tokens for cross-origin requests when withCredentials was true. The provided patches (96ee232bd3ee4de2e657333d4d2191cd389e14d0 and 2755df562b9c194fba6d8b609a383443f6a6e967) both modify the logic within the XHR adapter function in lib/adapters/xhr.js. This function is responsible for preparing and sending HTTP requests.
The original vulnerable code in this function used a condition (config.withCredentials || isURLSameOrigin(fullPath)) to determine if the XSRF token should be read from cookies and added to the request headers. This meant that if config.withCredentials was true, the isURLSameOrigin(fullPath) check was effectively bypassed for the decision to include the token, leading to the XSRF token being sent with requests to any host, not just the same origin.
The patches correct this by either removing the config.withCredentials part from the condition (in 96ee232) or by introducing a more explicit withXSRFToken option to control this behavior (in 2755df5).
The function in lib/adapters/xhr.js (referred to as xhrAdapter as it's explicitly named in one of the commits and is the primary function of this module) is therefore the direct location of the vulnerable logic. It processes the request configuration and constructs the headers, making it the function that would appear in a runtime profile when the vulnerability is triggered.
Ongoing coverage of React2Shell