Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-45857: CVE-2023-45857 (CWE-359) XSRF-TOKEN value is disclosed to an unauthorised actor · Issue #6006 · axios/axios

An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

CVE
#csrf#vulnerability#web#ios#nodejs#js#git#auth

Describe the bug

Hi team, @jasonsaayman and @DigitalBrainJS,

The library inserts the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in all requests to any server when the XSRF-TOKEN cookie is available, and the withCredentials setting is turned on. If a malicious user manages to obtain this value, it can potentially lead to the XSRF defence mechanism bypass.

It’s crucial to ensure the protection of CSRF tokens. These tokens should be treated as confidential information and managed securely at all times.
You may check it here:
https://portswigger.net/web-security/csrf/preventing
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

Type of vulnerability: CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
Severity: High (7.1) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

To Reproduce

  1. Start a new project using the latest version of Next.js by running the following command: npx create-next-app@latest. Then, install the latest version of the Axios library with this command: npm i axios

  2. Create an Axios instance with the following configuration, which enables cross-site request forgery (CSRF) protection by including credentials in requests:

    const instance = axios.create({ withCredentials: true, });

  1. Install the XSRF-TOKEN cookie with specific attributes. Set the cookie value “whatever” and configuring it for the “localhost” domain with strict same-site policy:

    const cookies = new Cookies();
    cookies.set("XSRF-TOKEN", "whatever", {
      domain: "localhost",
      sameSite: "strict",
    });
    
  2. Initiate a cross-domain request using your Axios instance. In this example, we’re making a GET request to “https://www.com/,” and we handle the response and potential errors:

    instance
      .get("https://www.com")
      .then((res) => console.log(res.data))
      .catch((err) => console.error(err.message));
    
  3. Run your project, and open the browser’s network tab for debugging and monitoring network activity.

  4. Verify that the cross-domain request to “https://www.com/” includes the “X-XSRF-TOKEN” header with the value “whatever.”

  5. Confirm that the “XSRF-TOKEN” cookie’s value is disclosed to any 3rd-party host when making requests using the Axios instance. This is essential for security as you don’t want to leak CSRF tokens to unauthorized entities.

Code snippet

lib/adapters/xhr.js:191 const xsrfValue = (config.withCredentials || isURLSameOrigin(fullPath))

Expected behavior

ER: the XSRF-TOKEN is not disclosed to a 3rd party host
AR: the XSRF-TOKEN is disclosed in every request made with the Axios instance

Axios Version

[v0.8.1] - [v1.5.1 (actual)]

Adapter Version

No response

Browser

No response

Browser Version

No response

Node.js Version

No response

OS

No response

Additional Library Versions

No response

Additional context/Screenshots

The current effective solution is to change the default XSRF-TOKEN cookie name in the Axios configuration and manually include the corresponding header only in the specific places where it’s necessary

https://prnt.sc/xDcRmFozxSHJ

Related news

Red Hat Security Advisory 2024-5314-03

Red Hat Security Advisory 2024-5314-03 - Red Hat OpenShift Virtualization release 4.13.10 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Security Advisory 2024-4455-03

Red Hat Security Advisory 2024-4455-03 - Red Hat OpenShift Virtualization release 4.16.0 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Security Advisory 2024-4269-03

Red Hat Security Advisory 2024-4269-03 - Red Hat OpenShift Virtualization release 4.12.12 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Security Advisory 2024-3989-03

Red Hat Security Advisory 2024-3989-03 - Migration Toolkit for Applications 6.2.3 release. Issues addressed include denial of service, memory leak, and password leak vulnerabilities.

Red Hat Security Advisory 2024-3920-03

Red Hat Security Advisory 2024-3920-03 - Migration Toolkit for Runtimes 1.2.6 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include a password leak vulnerability.

Red Hat Security Advisory 2024-3473-03

Red Hat Security Advisory 2024-3473-03 - Red Hat OpenShift Virtualization release 4.14.6 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Security Advisory 2024-1640-03

Red Hat Security Advisory 2024-1640-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include HTTP request smuggling, denial of service, local file inclusion, memory leak, and traversal vulnerabilities.

GHSA-wf5p-g6vw-rhxx: Axios Cross-Site Request Forgery Vulnerability

An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907