Possible bug: Vulnerability SSRF

[parichkova]

Describe the bug

In my current project we are using Snyk to catch any possible issues and vulnerabilities.
Snyk reports that since version 0.19.0 there is SSRF vulnerability that has no been fixed yet.

This is the message:
Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). An attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Could you please verify?
Thanks in advance.

To Reproduce

Any pen tests or just using Snyk to scan any app that uses axios.

Expected behavior

No vulnerabilities alerts.

Environment

• Axios Version [0.21.0]
• Adapter [HTTP]
• Browser [All]
• Browser Version [x]
• Node.js Version [12.14.1]
• OS: [x]
• Additional Library Versions [x]

Additional context/Screenshots

Add any other context about the problem here. If applicable, add screenshots to help explain.

[timemachine3030]

Thanks for the report. I'll start looking into the remediation.

https://snyk.io/vuln/SNYK-JS-AXIOS-1038255

[andyedwardsibm]

FYI this has become https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28168

[wickedest]

@jasonsaayman, do you have an ETA for v0.21.1 or a patch with respect to this CVE?

Bumping here too. This issue seems to no longer be IP for 0.21.1 release

[tomqwpl]

We have had to disable the package audit check on our build in order to make it pass as a result of this. It would be highly desirable to have an official maintenance release with this in as soon as possible. I must say I'm surprised this hasn't been released sooner, since it's the subject of a CVE.

[jablpiotrek]

+1 to what tomqwpl wrote, this became a blocker in our case, as audit-js / snyk is marking this a vulnerable package, thus pipelines glow red. It would be so cool to have release scheduled, especially as from what I see here https://github.com/axios/axios/projects/7 board for v0.21.1 is cleared.

[taltal78]

+1 here.. our pipelines red, waiting for this to be out

[marikaner]

It currently breaks the pipelines of our customers...

[tomqwpl]

@emilyemorehouse As being the one who generally seems to release axios, can we consider a new release with this fix in so that the vulnerability can be addressed?
Thanks.