Starting from Axios v1.8.0, the allowAbsoluteUrls attribute was introduced in Axios configurations to restrict the use of absolute URLs in request methods and mitigate SSRF vulnerabilities. (PR: axios/axios#6795)
This setting must be passed as the third parameter to the buildFullPath function. However, it is currently being ignored in the call to this function from the HTTP adapter.
Due to this oversight, it is still possible to make requests to absolute URLs even when the allowAbsoluteUrls configuration attribute is explicitly set to false.
const fullPath = buildFullPath(config.baseURL, config.url);This issue could allow attackers to bypass the intended security configuration and force requests to unintended external domains. This could lead to security vulnerabilities such as Server-Side Request Forgery (SSRF) or data exfiltration by tricking applications into sending sensitive requests to malicious endpoints.
- install Axios
npm install axios@1.8.1- Run the following code:
const axios = require('axios');
const client = axios.create({baseURL: 'http://example.com/', allowAbsoluteUrls: false});
client.get('http://evil.com');- Issue Explanation:
The request will be sent to evil.com instead of example.com, which is unexpected behavior. It should be directed to example.com.
Include the allowAbsoluteUrls parameter in the call to the buildFullPath function.
const fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls);