GHSA-8hc4-vh64-cxmj
HIGH
Server-Side Request Forgery in axios
Published August 12, 2024Updated February 4, 2026Source: osv
Details
axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.
Remediation
Upgrade to the fixed version using your package manager.
npm
Update axios to 1.7.4 or laternpm install axios@1.7.4
After upgrading, run your dependency scanner again to confirm the vulnerability is resolved.
Affected Packages (1)
| Package | Ecosystem | Affected | Fixed In |
|---|---|---|---|
| axios | npm | All versions | 1.7.4 |
Vulnerability Classification
Common Weakness Enumeration (CWE) identifiers for this vulnerability type.
- CWE-918Server-Side Request Forgery (SSRF)MITRE
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-39338ADVISORY
- https://github.com/axios/axios/issues/6463WEB
- https://github.com/axios/axios/pull/6539WEB
- https://github.com/axios/axios/pull/6543WEB
- https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3aWEB
- https://github.com/axios/axiosPACKAGE
- https://github.com/axios/axios/releasesWEB
- https://github.com/axios/axios/releases/tag/v1.7.4WEB
- https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.htmlWEB
Risk Assessment
EPSS Score (30-day exploit probability)
2.88%
Higher than 86% of vulnerabilities
Also Known As
Check if you're affected
Scan your dependencies to see if this vulnerability affects your projects.
Scan Your Dependencies