CVE-2019-10742
Denial of Service vulnerability in axios
What is CVE-2019-10742 About?
This vulnerability is a Denial of Service (DoS) issue in `axios` versions prior to 0.18.1. It occurs when a request exceeds the `maxContentLength` property, causing the package to print an error but not stop the request. This can lead to high CPU usage. Exploitation is relatively easy.
Affected Software
Technical Details
Versions of `axios` prior to 0.18.1 are vulnerable to a Denial of Service condition. The flaw manifests when a HTTP request, processed by `axios`, exceeds the configured `maxContentLength` property. Instead of aborting the request or handling it gracefully, `axios` prints an error but continues to process the oversized request. This continued processing, especially for very large inputs, can consume excessive CPU resources and memory, leading to resource exhaustion on the server or client, and ultimately a Denial of Service for the application or system hosting the `axios` instance.
What is the Impact of CVE-2019-10742?
Successful exploitation may allow attackers to exhaust system resources, leading to high CPU usage and denial of service for the application or server.
What is the Exploitability of CVE-2019-10742?
Exploitation is relatively straightforward. An attacker needs to send a request with a body size exceeding the configured `maxContentLength` in an application using `axios` versions prior to 0.18.1. This is typically a remote exploitation vector. No specific authentication or high privileges are required, just the ability to send requests to the vulnerable endpoint. The complexity is low. Special conditions include applications that handle large user-controlled inputs or file uploads using `axios`. Risk factors include public-facing APIs or services that do not properly validate content length at a higher layer before `axios` processes the request.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Viniciuspxf | Link | PoC for CVE-2019-10742 |
What are the Available Fixes for CVE-2019-10742?
About the Fix from Resolved Security
The patch adds a call to stream.destroy() when the response body exceeds the specified maxContentLength, ensuring that the HTTP stream is terminated immediately. This fixes CVE-2019-10742 by preventing the application from continuing to download excessively large HTTP responses, thereby mitigating potential denial-of-service attacks due to resource exhaustion.
Available Upgrade Options
- axios
- <0.18.1 → Upgrade to 0.18.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/axios/axios/commit/acabfbdf00a58bb866c9d070e8a10d1d0dbeb572
- https://app.snyk.io/vuln/SNYK-JS-AXIOS-174505
- https://www.npmjs.com/advisories/880
- https://snyk.io/vuln/SNYK-JS-AXIOS-174505
- https://github.com/axios/axios/pull/1485
- https://app.snyk.io/vuln/SNYK-JS-AXIOS-174505
- https://github.com/axios/axios/issues/1098
- https://github.com/axios/axios/issues/1098
- https://github.com/axios/axios/pull/1485
- https://nvd.nist.gov/vuln/detail/CVE-2019-10742
What are Similar Vulnerabilities to CVE-2019-10742?
Similar Vulnerabilities: CVE-2018-3769 , CVE-2020-8037 , CVE-2020-15160 , CVE-2022-24368 , CVE-2021-39144
