GHSA-wf5p-g6vw-rhxx - MODERATE Vulnerability | GeekWala
Loading...
Skip to main content
GeekWala

GHSA-wf5p-g6vw-rhxx

MODERATE

Axios Cross-Site Request Forgery Vulnerability

Published November 8, 2023Updated February 4, 2026Source: osv

Details

An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

Remediation

Upgrade to the fixed version using your package manager.

npm
Update axios to 0.28.0 or later
npm install axios@0.28.0
npm
Update axios to 1.6.0 or later
npm install axios@1.6.0

After upgrading, run your dependency scanner again to confirm the vulnerability is resolved.

Affected Packages (2)

PackageEcosystemAffectedFixed In
axios
npm
All versions0.28.0
axios
npm
All versions1.6.0

Vulnerability Classification

Common Weakness Enumeration (CWE) identifiers for this vulnerability type.

  • CWE-352
    Cross-Site Request Forgery (CSRF)MITRE

CVSS Score Breakdown

What the CVSS (Common Vulnerability Scoring System) 3.1 score means for each attack dimension.

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References

Risk Assessment

CVSS Score
3.1

Exploitation is difficult or impact is minor. Address in your next planned update.

EPSS Score (30-day exploit probability)
0.06%
Higher than 20% of vulnerabilities

Also Known As

CVE-2023-45857

Check if you're affected

Scan your dependencies to see if this vulnerability affects your projects.

Scan Your Dependencies