CVE-2020-28168
Server-Side Request Forgery (SSRF) vulnerability in axios (npm)
What is CVE-2020-28168 About?
The Axios NPM package version 0.21.0 is vulnerable to Server-Side Request Forgery (SSRF), allowing an attacker to bypass proxy restrictions. This can lead to unauthorized access to internal network resources. Exploitation is moderately complex, requiring crafted URLs and redirect responses.
Affected Software
Technical Details
The SSRF vulnerability in Axios NPM package 0.21.0 arises from insufficient validation of URLs, particularly in scenarios involving proxy bypasses. An attacker can craft a malicious URL that, when processed by Axios, triggers a redirect. The key mechanism is that the initial request goes through an allowed path or proxy, but the subsequent redirect points to a restricted internal host or IP address. If Axios does not properly re-evaluate or enforce proxy rules and access restrictions on redirected requests, it will follow the redirect to the forbidden internal resource, effectively bypassing security controls designed to isolate the internal network.
What is the Impact of CVE-2020-28168?
Successful exploitation may allow attackers to access internal network resources, perform port scanning, and potentially interact with services that are not exposed to the public internet.
What is the Exploitability of CVE-2020-28168?
Exploiting this SSRF vulnerability requires crafting a specific URL that triggers a redirect to an internal host or IP address. The complexity is moderate, requiring an understanding of network configurations and how the target application handles redirects. Authentication requirements depend on whether unauthenticated or authenticated requests are processed by Axios; if unauthenticated, the vulnerability can be exploited by any user. Privilege requirements are low, as the attacker leverages the application's own permissions. This is a remote exploit, as the attacker sends crafted URLs to the server. Special conditions include the server's network topology, specifically its ability to access internal resources from the context of the application running Axios. Risk factors that increase exploitation likelihood include applications that process user-supplied URLs and follow redirects without proper validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-28168?
About the Fix from Resolved Security
This patch ensures that when a proxy is configured, all HTTP redirects also pass through the proxy, not directly to the target host. This prevents attackers from bypassing proxy restrictions via redirects, which is the core of the SSRF vulnerability addressed by CVE-2020-28168. The fix adds a handler to redirect requests through the proxy, maintaining authentication and proper destination handling.
Available Upgrade Options
- axios
- <0.21.1 → Upgrade to 0.21.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f@%3Ccommits.druid.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2020-28168
- https://www.npmjs.com/package/axios
- https://snyk.io/vuln/SNYK-JS-AXIOS-1038255
- https://github.com/axios/axios/issues/3369
- https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f%40%3Ccommits.druid.apache.org%3E
- https://github.com/axios/axios/issues/3369
- https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e@%3Ccommits.druid.apache.org%3E
- https://github.com/axios/axios/commit/c7329fefc890050edd51e40e469a154d0117fc55
- https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e%40%3Ccommits.druid.apache.org%3E
What are Similar Vulnerabilities to CVE-2020-28168?
Similar Vulnerabilities: CVE-2021-25316 , CVE-2022-22947 , CVE-2022-31057 , CVE-2023-28432 , CVE-2023-49080
