HIGH · CVSS 7.5Disclosed 2024-07-25

CVE-2024-39338 — Axios protocol-confusion SSRF

A variant of the earlier axios SSRF (CVE-2024-39338) affecting later Node.js versions via protocol downgrade from https to http under specific redirect chains.

Affects

axios 0.30.0 through 1.7.3 (Node.js)

What an attacker does

Outbound axios fetches with user-controlled hostnames could be tricked into downgrading scheme, revealing bearer tokens to plaintext HTTP endpoints.

How to detect

`npm ls axios`.

How to fix

Upgrade axios to 1.7.4+.

How Securie catches it

Securie's Node scanner flags vulnerable axios + redirect-sensitive use patterns.

References

Axios advisory