Skip to content

axios security issue #225

New issue
New issue
Open
Open
axios security issue#225
@kelvah

Description

@kelvah
kelvah
opened on Mar 7, 2024

Hi,

We got a new CVE ticket about axios for our project (OCM):
https://issues.redhat.com/browse/OCMUI-1491

CVE-2023-45857 axios: exposure of confidential data stored in cookies
https://bugzilla.redhat.com/show_bug.cgi?id=2248979

An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

https://github.com/axios/axios/issues/6006
https://github.com/jeffbski/wait-on/pull/147

@redhat-cloud-services/rbac-client is on axios@^0.27.2

javascript-clients/packages/rbac/package.json

Line 27 in f9cafa3

"axios": "^0.27.2",

It's not clear if the reported issue was introduced with 1.5.1. Anyway, older versions of axios got their share of CVEs reported over time.

Do you think it could be possible to update it to latest?
Thanks!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions