CVE-2024-21535
Sensitive Information Disclosure vulnerability in markdown-to-jsx (npm)
What is CVE-2024-21535 About?
This vulnerability in Axios inadvertently discloses the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request to any host. This leads to sensitive information disclosure, which is relatively easy to exploit, as it happens automatically with affected Axios versions.
Affected Software
Technical Details
The Axios library, in versions 0.8.1 through 1.5.1, is designed to extract a Cross-Site Request Forgery (XSRF) token from browser cookies and include it in a custom HTTP header (X-XSRF-TOKEN) for subsequent requests. The vulnerability arises because this mechanism is not restricted to same-origin requests. Consequently, when a request is made from an application using the vulnerable Axios version to any external host, the XSRF-TOKEN is automatically appended to the request headers. This behavior allows an attacker, who has control over a destination host or can intercept traffic, to capture the confidential XSRF-TOKEN, which is intended to prevent CSRF attacks and should remain secret to the origin.
What is the Impact of CVE-2024-21535?
Successful exploitation may allow attackers to view sensitive information and potentially bypass CSRF protections, leading to unauthorized actions.
What is the Exploitability of CVE-2024-21535?
Exploitation of this vulnerability is of low complexity. It is primarily a client-side issue, requiring no authentication or special privileges on the target server. The disclosure happens automatically with any request made from an application using the vulnerable Axios library to any host. An attacker only needs to control an external web server that the vulnerable client application makes a request to, or be able to intercept network traffic, to capture the XSRF-TOKEN. The likelihood of exploitation increases if the vulnerable application frequently makes requests to third-party domains.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-21535?
About the Fix from Resolved Security
The patch extends URL sanitization by applying the existing sanitizeUrl(value) function not only to href attributes but also to src attributes. This fixes CVE-2024-21535 by preventing attackers from injecting malicious URLs into src attributes (such as for images or scripts), which could otherwise lead to cross-site scripting (XSS) attacks.
Available Upgrade Options
- markdown-to-jsx
- <7.4.0 → Upgrade to 7.4.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.snyk.io/vuln/SNYK-JS-MARKDOWNTOJSX-6258886
- https://github.com/quantizor/markdown-to-jsx
- https://security.snyk.io/vuln/SNYK-JS-MARKDOWNTOJSX-6258886
- https://github.com/quantizor/markdown-to-jsx/commit/8eb74da825c0d8d2e9508d73c672bcae36ba555a
- https://osv.dev/vulnerability/GHSA-4wx3-54gh-9fr9
- https://nvd.nist.gov/vuln/detail/CVE-2024-21535
- https://github.com/quantizor/markdown-to-jsx/commit/8eb74da825c0d8d2e9508d73c672bcae36ba555a
What are Similar Vulnerabilities to CVE-2024-21535?
Similar Vulnerabilities: CVE-2021-33190 , CVE-2020-28212 , CVE-2015-2849 , CVE-2019-15822 , CVE-2018-8420
