CVE-2024-57965
Published: 29 January 2025
Description
In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute('href',href) call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and does not fix a vulnerability.
Security Summary
CVE-2024-57965 affects the Axios JavaScript library in versions prior to 1.7.8. The issue is located in the lib/helpers/isURLSameOrigin.js file, which fails to use a URL object when determining an origin and includes a potentially unwanted setAttribute('href', href) call.
The vulnerability carries a CVSS v3.1 base score of 0.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N), indicating no impact on confidentiality, integrity, or availability. It is classified under CWE-346 (Origin Validation Error) and could theoretically be exploited by remote attackers with no privileges or user interaction, though it requires high attack complexity and results in a scope change with no measurable effects.
Mitigation is available via the Axios v1.7.8 release, which incorporates changes from GitHub pull request #6714, issue #6351, and commit 0a8d6e19da5b9899a2abafaaa06a75ee548597db. Notably, some parties contend that the fix only addresses a warning generated by a Static Application Security Testing (SAST) tool rather than resolving a genuine vulnerability.
Details
- CWE(s)