Описание
Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to version 1.11.0 runs on Node.js and is given a URL with the data: scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (Buffer/Blob) and returns a synthetic 200 response. This path ignores maxContentLength / maxBodyLength (which only protect HTTP responses), so an attacker can supply a very large data: URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested responseType: 'stream'. Version 1.11.0 contains a patch for the issue.
Отчет
Availability impact is limited to the application which bundles axios and not the host Red Hat system.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Cryostat 4 | io.cryostat-cryostat | Not affected | ||
| Gatekeeper 3 | gatekeeper/gatekeeper-rhel9 | Affected | ||
| Migration Toolkit for Applications 7 | mta/mta-ui-rhel9 | Affected | ||
| Migration Toolkit for Containers | rhmtc/openshift-migration-ui-rhel8 | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/console-mce-rhel8 | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/console-mce-rhel9 | Affected | ||
| Multicluster Global Hub | multicluster-globalhub/multicluster-globalhub-grafana-rhel9 | Affected | ||
| Network Observability Operator | network-observability/network-observability-console-plugin-compat-rhel9 | Affected | ||
| Network Observability Operator | network-observability/network-observability-console-plugin-rhel9 | Affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-hub-api-rhel8 | Affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`. Versions 0.30.2 and 1.12.0 contain a patch for the issue.
Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`. Versions 0.30.2 and 1.12.0 contain a patch for the issue.
Axios is vulnerable to DoS attack through lack of data size check
Axios is a promise based HTTP client for the browser and Node.js. When ...
Axios is vulnerable to DoS attack through lack of data size check
EPSS
5.3 Medium
CVSS3