Headline
CVE-2023-45857: CVE-2023-45857 (CWE-359) XSRF-TOKEN value is disclosed to an unauthorised actor · Issue #6006 · axios/axios
An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
Describe the bug
Hi team, @jasonsaayman and @DigitalBrainJS,
The library inserts the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in all requests to any server when the XSRF-TOKEN cookie is available, and the withCredentials setting is turned on. If a malicious user manages to obtain this value, it can potentially lead to the XSRF defence mechanism bypass.
It’s crucial to ensure the protection of CSRF tokens. These tokens should be treated as confidential information and managed securely at all times.
You may check it here:
https://portswigger.net/web-security/csrf/preventing
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
Type of vulnerability: CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
Severity: High (7.1) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
To Reproduce
Start a new project using the latest version of Next.js by running the following command: npx create-next-app@latest. Then, install the latest version of the Axios library with this command: npm i axios
Create an Axios instance with the following configuration, which enables cross-site request forgery (CSRF) protection by including credentials in requests:
const instance = axios.create({ withCredentials: true, });
Install the XSRF-TOKEN cookie with specific attributes. Set the cookie value “whatever” and configuring it for the “localhost” domain with strict same-site policy:
const cookies = new Cookies(); cookies.set("XSRF-TOKEN", "whatever", { domain: "localhost", sameSite: "strict", });
Initiate a cross-domain request using your Axios instance. In this example, we’re making a GET request to “https://www.com/,” and we handle the response and potential errors:
instance .get("https://www.com") .then((res) => console.log(res.data)) .catch((err) => console.error(err.message));
Run your project, and open the browser’s network tab for debugging and monitoring network activity.
Verify that the cross-domain request to “https://www.com/” includes the “X-XSRF-TOKEN” header with the value “whatever.”
Confirm that the “XSRF-TOKEN” cookie’s value is disclosed to any 3rd-party host when making requests using the Axios instance. This is essential for security as you don’t want to leak CSRF tokens to unauthorized entities.
Code snippet
lib/adapters/xhr.js:191 const xsrfValue = (config.withCredentials || isURLSameOrigin(fullPath))
Expected behavior
ER: the XSRF-TOKEN is not disclosed to a 3rd party host
AR: the XSRF-TOKEN is disclosed in every request made with the Axios instance
Axios Version
[v0.8.1] - [v1.5.1 (actual)]
Adapter Version
No response
Browser
No response
Browser Version
No response
Node.js Version
No response
OS
No response
Additional Library Versions
No response
Additional context/Screenshots
The current effective solution is to change the default XSRF-TOKEN cookie name in the Axios configuration and manually include the corresponding header only in the specific places where it’s necessary
https://prnt.sc/xDcRmFozxSHJ
Related news
Red Hat Security Advisory 2024-5314-03 - Red Hat OpenShift Virtualization release 4.13.10 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2024-4455-03 - Red Hat OpenShift Virtualization release 4.16.0 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2024-4269-03 - Red Hat OpenShift Virtualization release 4.12.12 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2024-3989-03 - Migration Toolkit for Applications 6.2.3 release. Issues addressed include denial of service, memory leak, and password leak vulnerabilities.
Red Hat Security Advisory 2024-3920-03 - Migration Toolkit for Runtimes 1.2.6 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include a password leak vulnerability.
Red Hat Security Advisory 2024-3473-03 - Red Hat OpenShift Virtualization release 4.14.6 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2024-1640-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include HTTP request smuggling, denial of service, local file inclusion, memory leak, and traversal vulnerabilities.
An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.