CVE-2024-39338 — Axios SSRF via absolute URL
A Server-Side Request Forgery vulnerability in the axios HTTP client allowed path-relative URLs to be silently converted into absolute URLs targeting attacker-controlled infrastructure.
- axios < 1.7.4
What an attacker does
An attacker supplies a URL-like value to any axios.get() call whose input was user-controlled. Under the right conditions, axios sent the outbound request to an attacker-controlled host instead of the developer-intended target. Used in the wild to exfiltrate cloud-metadata credentials.
How to detect
Scan package.json + lockfile for axios < 1.7.4. Check every axios call that accepts a user-supplied URL.
How to fix
Upgrade axios to 1.7.4 or later. Additionally, validate URLs before making outbound requests — reject private IPs, enforce allowlisted hosts.
Securie's dependency scanner flags vulnerable axios versions in any scanned repo + live-validates the exploit path against sinks in your code.