Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-27152

Опубликовано: 07 мар. 2025
Источник: redhat
CVSS3: 5.3
EPSS Низкий

Описание

axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Cryostat 3io.cryostat-cryostat3Fix deferred
Migration Toolkit for Applications 7mta/mta-cli-rhel9Fix deferred
Migration Toolkit for Applications 7mta/mta-ui-rhel9Fix deferred
Migration Toolkit for Containersrhmtc/openshift-migration-ui-rhel8Fix deferred
Migration Toolkit for Virtualizationmigration-toolkit-virtualization/mtv-console-plugin-rhel9Fix deferred
Multicluster Engine for Kubernetesmulticluster-engine/console-mce-rhel8Fix deferred
Network Observability Operatornetwork-observability/network-observability-console-plugin-rhel9Fix deferred
OpenShift Pipelinesopenshift-pipelines/pipelines-hub-api-rhel8Fix deferred
OpenShift Pipelinesopenshift-pipelines/pipelines-hub-db-migration-rhel8Fix deferred
OpenShift Pipelinesopenshift-pipelines/pipelines-hub-ui-rhel8Fix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-918
https://bugzilla.redhat.com/show_bug.cgi?id=2350618axios: Possible SSRF and Credential Leakage via Absolute URL in axios Requests

EPSS

Процентиль: 19%
0.0006
Низкий

5.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2025-27152

CVSS3: 7.5
ubuntu
8 месяцев назад

axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.

nvd логотип

CVE-2025-27152

CVSS3: 7.5
nvd
8 месяцев назад

axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.

msrc логотип

CVE-2025-27152

msrc
2 месяца назад

Possible SSRF and Credential Leakage via Absolute URL in axios Requests

debian логотип

CVE-2025-27152

CVSS3: 7.5
debian
8 месяцев назад

axios is a promise based HTTP client for the browser and node.js. The ...

suse-cvrf логотип

SUSE-SU-2025:1227-1

suse-cvrf
7 месяцев назад

Security update for pgadmin4

EPSS

Процентиль: 19%
0.0006
Низкий

5.3 Medium

CVSS3

Уязвимость CVE-2025-27152