CVE-2024-39338: Server-Side Request Forgery in axios

August 12, 2024 (updated October 3, 2024)

axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

References

github.com/advisories/GHSA-8hc4-vh64-cxmj
github.com/axios/axios
github.com/axios/axios/issues/6463
github.com/axios/axios/pull/6539
github.com/axios/axios/releases
jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html
nvd.nist.gov/vuln/detail/CVE-2024-39338

Code Behaviors & Features

Detect and mitigate CVE-2024-39338 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →