CSRF vulnerability in AXIOS 0.24.1 to latest

[mmatra]

Describe the bug

AXIOS contains a CSRF Vulnerability

Axios contains a cross-site request forgery (CSRF) vulnerability due to insecure HTTP endpoint permission validation. An attacker could exploit this vulnerability by sending a crafted link to a victim to execute malicious actions on their behalf.

Below are the versions which contain this vulnerability

axios | 0.21.4
axios | 0.26.1
axios | 1.0.0
axios | 1.3.6
axios | 1.4.0
axios | 1.5.1 : Latest

To Reproduce

NA

Code snippet

No response

Expected behavior

AXIOS should not have this vulnerability

Axios Version

0.24.1, 0.26.3, 1.5.1

Adapter Version

No response

Browser

No response

Browser Version

No response

Node.js Version

No response

OS

No response

Additional Library Versions

No response

Additional context/Screenshots

No response

[theta682]

Probably related to #6006

[anuraggo]

This issue is reported in BlackDuck scan. Here is detailed report -

[PacoPeralta]

Snyk is also detecting this error:
https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459
Unfortunately at this point as per report, there is not an axios version with a fix.

[ahmedsamy64]

Hello guys, is there any fix for this?

[albertodiazdorado]

Also interested. Isn't the fix super easy to implement?

53817f8

[anuraggo]

Also interested. Isn't the fix super easy to implement?

53817f8

@valentin-panov I see this commit in PR and is in progress #6028
I guess we need to wait until its merged ?

[sarahkonimeti]

what is the potential ETA for this PR to be resolved please?

[jerell-mendoza]

Hi, I just wanted to bump this as well as my team is interested in seeing this resolved as well! Thank you team!

[CrossEyedRobot]

This is an issue for my application also. Is there a planned fix?

[emzeidan]

Update: It looks like the related PR #6028 was just merged. I'm guessing a new release shouldn't be too far off.

[emzeidan]

v1.6.0 has just been released with this patched.