CVE-2025-27152 (Medium) Detected In Axios-0.21.4.tgz

by ADMIN 53 views

Introduction to the Vulnerability

Understanding the severity of the vulnerability is crucial for developers and security teams to take immediate action and prevent potential security breaches. The CVE-2025-27152 vulnerability is a medium-severity issue detected in the axios-0.21.4.tgz library, which is a promise-based HTTP client for the browser and node.js. This article will delve into the details of the vulnerability, its impact, and the suggested fix to ensure the security of your applications.

CVE-2025-27152 - Medium Severity Vulnerability

Vulnerable Library - axios-0.21.4.tgz

The axios-0.21.4.tgz library is a popular choice for making HTTP requests in both browser and node.js environments. However, the library has a vulnerability that can lead to Server-Side Request Forgery (SSRF) and credential leakage.

Promise based HTTP client for the browser and node.js

Axios is a powerful library that allows developers to make HTTP requests with ease. However, the vulnerability in the library can compromise the security of your applications.

Library home page: https://registry.npmjs.org/axios/-/axios-0.21.4.tgz

The library's home page provides more information about the library, including its documentation and usage examples.

Dependency Hierarchy

Vulnerable Library - axios-0.21.4.tgz

The axios-0.21.4.tgz library is a vulnerable library that can lead to security breaches.

Dependency Hierarchy:

  • :x: axios-0.21.4.tgz (Vulnerable Library)

The dependency hierarchy shows that the axios-0.21.4.tgz library is a vulnerable library that can lead to security breaches.

Found in HEAD commit: https://github.com/zurichat/zc_plugin_dm/commit/41f949b863ead7c74b72a01845dbe0d88c24a364

The vulnerability was found in the HEAD commit of the zurichat/zc_plugin_dm repository.

Found in base branch: main

The vulnerability was also found in the main branch of the repository.

Vulnerability Details

axios is a promise based HTTP client for the browser and node.js

Axios is a powerful library that allows developers to make HTTP requests with ease. However, the vulnerability in the library can compromise the security of your applications.

The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios

The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. This can lead to SSRF and credential leakage.

Even if baseURL is set, axios sends the request to the specified absolute URL

Even if the baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage.

This issue impacts both server-side and client-side usage of axios

This issue impacts both server-side and client-side usage of axios, making it a critical vulnerability that needs to be addressed.

This issue is fixed in 1.8.2

The issue is fixed in version 1.8.2 of the axios library.

Publish Date: 2025-03-07

The vulnerability was published on 2025-03-07.

URL: https://www.mend.io/vulnerability-database/CVE-2025-27152

The vulnerability can be found in the Mend vulnerability database with the URL https://www.mend.io/vulnerability-database/CVE-2025-27152.

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

The CVSS 3 score details show that the vulnerability has a base score of 5.5, with a high availability impact.

Suggested Fix

Type: Upgrade version

The suggested fix is to upgrade the version of the axios library to 1.8.2.

Release Date: 2025-03-07

The release date of the fix is 2025-03-07.

Fix Resolution: v1.8.2

The fix resolution is to upgrade to version 1.8.2 of the axios library.

Conclusion

The CVE-2025-27152 vulnerability is a medium-severity issue detected in the axios-0.21.4.tgz library. The vulnerability can lead to SSRF and credential leakage, making it a critical issue that needs to be addressed. The suggested fix is to upgrade the version of the axios library to 1.8.2. It is essential to take immediate action to prevent potential security breaches.

Step up your Open Source Security Game with Mend here

Introduction

The CVE-2025-27152 vulnerability is a medium-severity issue detected in the axios-0.21.4.tgz library, which is a promise-based HTTP client for the browser and node.js. This article will provide a Q&A section to help developers and security teams understand the vulnerability and its impact.

Q: What is the CVE-2025-27152 vulnerability?

A: The CVE-2025-27152 vulnerability is a medium-severity issue detected in the axios-0.21.4.tgz library. The vulnerability can lead to Server-Side Request Forgery (SSRF) and credential leakage.

Q: What is Server-Side Request Forgery (SSRF)?

A: Server-Side Request Forgery (SSRF) is a type of attack where an attacker can trick a server into making a request to an unintended destination. In the case of the CVE-2025-27152 vulnerability, an attacker can trick the server into making a request to an unintended destination by passing an absolute URL to the axios library.

Q: How does the CVE-2025-27152 vulnerability affect my application?

A: The CVE-2025-27152 vulnerability can affect your application in several ways. If an attacker can trick the server into making a request to an unintended destination, they may be able to access sensitive data or perform unauthorized actions.

Q: What is the impact of the CVE-2025-27152 vulnerability?

A: The impact of the CVE-2025-27152 vulnerability is high. The vulnerability can lead to SSRF and credential leakage, which can compromise the security of your application.

Q: How can I fix the CVE-2025-27152 vulnerability?

A: The suggested fix for the CVE-2025-27152 vulnerability is to upgrade the version of the axios library to 1.8.2.

Q: What is the CVSS 3 score of the CVE-2025-27152 vulnerability?

A: The CVSS 3 score of the CVE-2025-27152 vulnerability is 5.5, with a high availability impact.

Q: What is the recommended course of action for developers and security teams?

A: The recommended course of action for developers and security teams is to take immediate action to address the CVE-2025-27152 vulnerability. This includes upgrading the version of the axios library to 1.8.2 and reviewing the application's code to ensure that it is not vulnerable to SSRF and credential leakage.

Q: How can I stay up-to-date with the latest security vulnerabilities?

A: You can stay up-to-date with the latest security vulnerabilities by following reputable sources such as the National Vulnerability Database (NVD) and the Common Vulnerabilities and Exposures (CVE) database.

Q: What is the role of Mend in addressing security vulnerabilities?

A: Mend is a leading provider of open-source security solutions. Mend provides a range of tools and services to help developers and security teams identify and address security vulnerabilities in their applications.

Q: How can I get help with addressing the CVE-2025-27152 vulnerability?

A: You can get help with addressing the CVE-2025-27152 vulnerability by contacting Mend's support team. Mend's support team is available to provide guidance and assistance with addressing security vulnerabilities.

Conclusion

The CVE-2025-27152 vulnerability is a medium-severity issue detected in the axios-0.21.4.tgz library. The vulnerability can lead to SSRF and credential leakage, making it a critical issue that needs to be addressed. By following the recommended course of action and staying up-to-date with the latest security vulnerabilities, developers and security teams can help ensure the security of their applications.

Step up your Open Source Security Game with Mend here