Headline
CVE-2020-28168: Requests that follow a redirect are not passing via the proxy · Issue #3369 · axios/axios
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Describe the bug
In cases where axios is used by servers to perform http requests to user-supplied urls, a proxy is commonly used to protect internal networks from unauthorized access and SSRF. This bug enables an attacker to bypass the proxy by providing a url that responds with a redirect to a restricted host/ip.
To Reproduce
The following code spawns a proxy server that always responds with a 302 redirect, so requests should never reach the target url, however, axios is only reaching the proxy once, and bypassing the proxy after the redirect response.
https://runkit.com/embed/1df5qy8lbgnc
const axios = require(‘axios’) const http = require(‘http’)
const PROXY_PORT = 8080
// A fake proxy server http.createServer(function (req, res) { res.writeHead(302, {location: 'http://example.com’}) res.end() }).listen(PROXY_PORT)
axios({ method: "get", url: "http://www.google.com/", proxy: { host: "localhost", port: PROXY_PORT, }, }) .then(® => console.log(r.data)) .catch(console.error)
The response is the rendered html of http://example.com
Expected behavior
All the requests should pass via the proxy. In the provided scenario, there should be a redirect loop.
Environment
- Axios Version [0.21.0]
- Node.js Version [v12.18.2]
Additional context/Screenshots
Add any other context about the problem here. If applicable, add screenshots to help explain.
Related news
Dell PowerStore versions 2.0.0.x, 2.0.1.x and 2.1.0.x contains an open port vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure and arbitrary code execution.