CVE-2024-57965

In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute('href',href) call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and does not fix a vulnerability.

CVSS

No CVSS.

References

Link	Resource
https://github.com/axios/axios/commit/0a8d6e19da5b9899a2abafaaa06a75ee548597db	Patch
https://github.com/axios/axios/issues/6351	Issue Tracking
https://github.com/axios/axios/pull/6714	Issue Tracking Patch
https://github.com/axios/axios/releases/tag/v1.7.8	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2025-01-29 09:15

Updated : 2025-09-19 19:38

NVD link : CVE-2024-57965

Mitre link : CVE-2024-57965

CVE.ORG link : CVE-2024-57965

JSON object : View

Products Affected

axios

axios

CWE

CWE-346

Origin Validation Error

{"id": "CVE-2024-57965", "cveTags": [{"tags": ["disputed"], "sourceIdentifier": "[email protected]"}], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 0.0, "attackVector": "NETWORK", "baseSeverity": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 0.0, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-01-29T09:15:08.183", "references": [{"url": "https://github.com/axios/axios/commit/0a8d6e19da5b9899a2abafaaa06a75ee548597db", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/axios/axios/issues/6351", "tags": ["Issue Tracking"], "source": "[email protected]"}, {"url": "https://github.com/axios/axios/pull/6714", "tags": ["Issue Tracking", "Patch"], "source": "[email protected]"}, {"url": "https://github.com/axios/axios/releases/tag/v1.7.8", "tags": ["Release Notes"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-346"}]}], "descriptions": [{"lang": "en", "value": "In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute('href',href) call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and does not fix a vulnerability."}, {"lang": "es", "value": "En axios anterior a la versi\u00f3n 1.7.8, lib/helpers/isURLSameOrigin.js no utiliza un objeto URL al determinar un origen y tiene una llamada setAttribute('href',href) potencialmente no deseada. NOTA: algunas partes consideran que el cambio de c\u00f3digo solo soluciona un mensaje de advertencia de una herramienta SAST y no corrige una vulnerabilidad."}], "lastModified": "2025-09-19T19:38:55.067", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "6CFFC30D-BA6B-47B6-8623-89F83C25658A", "versionEndExcluding": "1.7.8"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}