-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deps): update dependency axios to v1 [security] #1180
base: master
Are you sure you want to change the base?
Conversation
Hi @renovate[bot]. Thanks for your PR. I'm waiting for a ti-community-infra member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
13c655e
to
3839a6b
Compare
3839a6b
to
4451afc
Compare
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
4451afc
to
f778d50
Compare
Issues go stale after 90d of inactivity. |
Stale issues rot after 30d of inactivity. |
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
f778d50
to
a98c4db
Compare
This PR contains the following updates:
^0.27.0
->^1.0.0
GitHub Vulnerability Alerts
CVE-2023-45857
An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
CVE-2025-27152
Summary
A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery).
Reference: axios/axios#6463
A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if
baseURL
is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios.Details
Consider the following code snippet:
In this example, the request is sent to
http://attacker.test/
instead of thebaseURL
. As a result, the domain owner ofattacker.test
would receive theX-API-KEY
included in the request headers.It is recommended that:
baseURL
is set, passing an absolute URL such ashttp://attacker.test/
toget()
should not ignorebaseURL
.baseURL
with the user-provided parameter), axios should verify that the resulting URL still begins with the expectedbaseURL
.PoC
Follow the steps below to reproduce the issue:
Even though
baseURL
is set tohttp://localhost:10001/
, axios sends the request tohttp://localhost:10002/
.Impact
baseURL
and does not validate path parameters is affected by this issue.Release Notes
axios/axios (axios)
v1.8.2
Compare Source
Bug Fixes
Contributors to this release
v1.8.1
Compare Source
Bug Fixes
generateString
to platform utils to avoid importing crypto module into client builds; (#6789) (36a5a62)Contributors to this release
v1.8.0
Compare Source
Bug Fixes
Features
Reverts
BREAKING CHANGES
code relying on the above will now combine the URLs instead of prefer request URL
feat: add config option for allowing absolute URLs
fix: add default value for allowAbsoluteUrls in buildFullPath
fix: typo in flow control when setting allowAbsoluteUrls
Contributors to this release
1.7.9 (2024-12-04)
Reverts
Contributors to this release
1.7.8 (2024-11-25)
Bug Fixes
globalThis.TextEncoder
when available (#6634) (df956d1)Contributors to this release
1.7.7 (2024-08-31)
Bug Fixes
Contributors to this release
1.7.6 (2024-08-30)
Bug Fixes
Contributors to this release
1.7.5 (2024-08-23)
Bug Fixes
ReferenceError: navigator is not defined
for custom environments; (#6567) (fed1a4b)Contributors to this release
1.7.4 (2024-08-13)
Bug Fixes
Contributors to this release
1.7.3 (2024-08-01)
Bug Fixes
Contributors to this release
1.7.2 (2024-05-21)
Bug Fixes
Contributors to this release
1.7.1 (2024-05-20)
Bug Fixes
Contributors to this release
v1.7.9
Compare Source
Reverts
Contributors to this release
v1.7.8
Compare Source
Bug Fixes
globalThis.TextEncoder
when available (#6634) (df956d1)Contributors to this release
v1.7.7
Compare Source
Bug Fixes
Contributors to this release
v1.7.6
Compare Source
Bug Fixes
Contributors to this release
v1.7.5
Compare Source
Bug Fixes
ReferenceError: navigator is not defined
for custom environments; (#6567) (fed1a4b)Contributors to this release
v1.7.4
Compare Source
Bug Fixes
Contributors to this release
v1.7.3
Compare Source
Bug Fixes
Contributors to this release
v1.7.2
Compare Source
Bug Fixes
Contributors to this release
v1.7.1
Compare Source
Bug Fixes
Contributors to this release
v1.7.0
Compare Source
Features
Bug Fixes
Contributors to this release
v1.6.8
Compare Source
Bug Fixes
Contributors to this release
v1.6.7
Compare Source
Bug Fixes
Contributors to this release
v1.6.6
Compare Source
Bug Fixes
Contributors to this release
v1.6.5
Compare Source
Bug Fixes
Contributors to this release
v1.6.4
Compare Source
Bug Fixes
Contributors to this release
v1.6.3
Compare Source
Bug Fixes
Contributors to this release
v1.6.2
Compare Source
Features
withCredentials
behavior; (#6046) (cff9967)PRs
Contributors to this release
v1.6.1
Compare Source
Bug Fixes
Contributors to this release
PRs
v1.6.0
Compare Source
Bug Fixes
PRs
Contributors to this release
1.5.1 (2023-09-26)
Bug Fixes
Content-Type
header for FormData in non-browser environments; (#5917) (bc9af51)content-encoding
header to handle case-insensitive values (#5890) (#5892) (4c89f25)Contributors to this release
PRs
v1.5.1
Compare Source
Bug Fixes
Content-Type
header for FormData in non-browser environments; (#5917) (bc9af51)content-encoding
header to handle case-insensitive values (#5890) (#5892) (4c89f25)Contributors to this release
PRs