Skip to content

[GHSA-jr5f-v2jv-69x6] axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL#5356

Closed
mhassan1 wants to merge 1 commit intomhassan1/advisory-improvement-5356from
mhassan1-GHSA-jr5f-v2jv-69x6
Closed

[GHSA-jr5f-v2jv-69x6] axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL#5356
mhassan1 wants to merge 1 commit intomhassan1/advisory-improvement-5356from
mhassan1-GHSA-jr5f-v2jv-69x6

Conversation

@mhassan1
Copy link

@mhassan1 mhassan1 commented Mar 12, 2025

Updates

  • Affected products
  • CVSS v4
  • References

Comments
Version 1.8.2 contained an incomplete fix (it only included the http adapter); version 1.8.3 contains the fix for the xhr and fetch adapters

@github
Copy link
Collaborator

github commented Mar 12, 2025

Hi there @jasonsaayman! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

@github-actions github-actions bot changed the base branch from main to mhassan1/advisory-improvement-5356 March 12, 2025 11:38
@mhassan1 mhassan1 marked this pull request as draft March 12, 2025 11:46
mhassan1
mhassan1 commented Mar 12, 2025
View reviewed changes
advisories/github-reviewed/2025/03/GHSA-jr5f-v2jv-69x6/GHSA-jr5f-v2jv-69x6.json
"severity": [
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"
Copy link
Author

@mhassan1 mhassan1 Mar 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't intend to remove the E metric, but the advisory improvement screen forced me to remove it, and I don't see a way to put it back.

Copy link
Author

@mhassan1 mhassan1 Mar 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've opened an issue about this limitation in the advisory improvement screen: #5357.

@mhassan1 mhassan1 marked this pull request as ready for review March 12, 2025 11:57
@mhassan1 mhassan1 mentioned this pull request Mar 12, 2025
Closed
@JonathanLEvans
Copy link

JonathanLEvans commented Mar 12, 2025

If there is an incomplete fix, then a separate advisory and CVE ID may be issued. I would like @jasonsaayman's thought on how to handle this.

@mhassan1 mhassan1 mentioned this pull request Mar 12, 2025
Open
@thatguyinabeanie thatguyinabeanie mentioned this pull request Mar 13, 2025
Merged
@jasonsaayman
Copy link

jasonsaayman commented Mar 19, 2025

@JonathanLEvans I don't know what the standard practice is when it comes to a incomplete fix, however I think it may be better to handle it as a separate CVE.

@github-actions github-actions bot deleted the mhassan1-GHSA-jr5f-v2jv-69x6 branch March 20, 2025 18:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mhassan1 @github @JonathanLEvans @jasonsaayman