CVE-2020-28168
Server-Side Request Forgery (SSRF) vulnerability in axios
What is CVE-2020-28168 About?
The Axios NPM package version 0.21.0 is vulnerable to Server-Side Request Forgery (SSRF), allowing an attacker to bypass proxy restrictions. This can lead to unauthorized access to internal network resources. Exploitation is moderately complex, requiring crafted URLs and redirect responses.
Affected Software
Technical Details
The SSRF vulnerability in Axios NPM package 0.21.0 arises from insufficient validation of URLs, particularly in scenarios involving proxy bypasses. An attacker can craft a malicious URL that, when processed by Axios, triggers a redirect. The key mechanism is that the initial request goes through an allowed path or proxy, but the subsequent redirect points to a restricted internal host or IP address. If Axios does not properly re-evaluate or enforce proxy rules and access restrictions on redirected requests, it will follow the redirect to the forbidden internal resource, effectively bypassing security controls designed to isolate the internal network.
What is the Impact of CVE-2020-28168?
Successful exploitation may allow attackers to access internal network resources, perform port scanning, and potentially interact with services that are not exposed to the public internet.
What is the Exploitability of CVE-2020-28168?
Exploiting this SSRF vulnerability requires crafting a specific URL that triggers a redirect to an internal host or IP address. The complexity is moderate, requiring an understanding of network configurations and how the target application handles redirects. Authentication requirements depend on whether unauthenticated or authenticated requests are processed by Axios; if unauthenticated, the vulnerability can be exploited by any user. Privilege requirements are low, as the attacker leverages the application's own permissions. This is a remote exploit, as the attacker sends crafted URLs to the server. Special conditions include the server's network topology, specifically its ability to access internal resources from the context of the application running Axios. Risk factors that increase exploitation likelihood include applications that process user-supplied URLs and follow redirects without proper validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-28168?
About the Fix from Resolved Security
This patch introduces a helper function to ensure that proxy settings, including authentication and target, are re-applied to each redirect when following HTTP redirects through a proxy. By enforcing that all redirects continue to use the proxy rather than connecting directly to the redirect target, it prevents attackers from bypassing proxy controls and launching SSRF attacks, which is the core issue in CVE-2020-28168.
Available Upgrade Options
- axios
- <0.21.1 → Upgrade to 0.21.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f@%3Ccommits.druid.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2020-28168
- https://www.npmjs.com/package/axios
- https://snyk.io/vuln/SNYK-JS-AXIOS-1038255
- https://github.com/axios/axios/issues/3369
- https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f%40%3Ccommits.druid.apache.org%3E
- https://github.com/axios/axios/issues/3369
- https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e@%3Ccommits.druid.apache.org%3E
- https://github.com/axios/axios/commit/c7329fefc890050edd51e40e469a154d0117fc55
- https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e%40%3Ccommits.druid.apache.org%3E
What are Similar Vulnerabilities to CVE-2020-28168?
Similar Vulnerabilities: CVE-2021-25316 , CVE-2022-22947 , CVE-2022-31057 , CVE-2023-28432 , CVE-2023-49080
