{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/axios/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["axios","lodash \u003c 4.17.21"],"_cs_severities":["critical"],"_cs_tags":["prototype-pollution","request-hijacking","data-exfiltration","axios","javascript"],"_cs_type":"advisory","_cs_vendors":["lodash"],"content_html":"\u003cp\u003eAxios, a popular HTTP client library, is vulnerable to prototype pollution attacks affecting versions 0.19.0 through 1.13.6. This vulnerability arises from the insecure merging of configuration options within the \u003ccode\u003emergeConfig\u003c/code\u003e function, which lacks proper checks for own properties. By polluting the \u003ccode\u003eObject.prototype\u003c/code\u003e with malicious keys, such as \u003ccode\u003eparseReviver\u003c/code\u003e and \u003ccode\u003etransport\u003c/code\u003e, attackers can inject code into the request processing flow. This allows for the interception and modification of JSON responses before they reach the application, as well as full hijacking of HTTP requests, exposing sensitive information like credentials, headers, and request bodies. Successful exploitation requires a separate source of prototype pollution within the same process, such as a vulnerable version of lodash ( \u0026lt; 4.17.21).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker exploits a separate prototype pollution vulnerability (e.g., in lodash \u0026lt; 4.17.21) to pollute the \u003ccode\u003eObject.prototype\u003c/code\u003e with a malicious \u003ccode\u003eparseReviver\u003c/code\u003e or \u003ccode\u003etransport\u003c/code\u003e property.\u003c/li\u003e\n\u003cli\u003eThe application initiates an HTTP request using Axios.\u003c/li\u003e\n\u003cli\u003eAxios\u0026rsquo; \u003ccode\u003emergeConfig\u003c/code\u003e function merges the default configurations with the request-specific configurations without properly checking for own properties.\u003c/li\u003e\n\u003cli\u003eDue to the prototype pollution, the malicious \u003ccode\u003eparseReviver\u003c/code\u003e or \u003ccode\u003etransport\u003c/code\u003e property from \u003ccode\u003eObject.prototype\u003c/code\u003e is used in the merged configuration.\u003c/li\u003e\n\u003cli\u003eIf \u003ccode\u003eparseReviver\u003c/code\u003e is polluted, the \u003ccode\u003eJSON.parse\u003c/code\u003e function within Axios uses the malicious reviver function, allowing the attacker to inspect and modify the response body. This could lead to data exfiltration or tampering with application logic.\u003c/li\u003e\n\u003cli\u003eIf \u003ccode\u003etransport\u003c/code\u003e is polluted, Axios uses the attacker-controlled transport object for the HTTP request, granting the attacker full access to request details (URL, headers, credentials).\u003c/li\u003e\n\u003cli\u003eThe attacker logs or forwards the intercepted request data (credentials, headers, body) to an external attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe hijacked request proceeds normally, and the application receives the (potentially modified) response.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this prototype pollution vulnerability can have severe consequences. Attackers can silently modify JSON responses, leading to data corruption or unauthorized privilege escalation within the application. Full HTTP request hijacking enables the exfiltration of sensitive information, including API keys, user credentials, and other confidential data transmitted in headers or the request body. Applications relying on Axios for secure communication are vulnerable, potentially affecting numerous users and services. This vulnerability affects applications using Axios versions 0.19.0 through 1.13.6 and using the Node.js http adapter.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of Axios that addresses the prototype pollution vulnerability.  However, the advisory states that PR #7369 does not fully resolve the vulnerability and further patches are required.\u003c/li\u003e\n\u003cli\u003eAs a temporary mitigation, sanitize or filter user-supplied input to prevent prototype pollution attacks affecting \u003ccode\u003eObject.prototype\u003c/code\u003e, particularly if using libraries like lodash \u0026lt; 4.17.21.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Axios HTTP Transport Hijacking\u003c/code\u003e to identify potential attempts to hijack HTTP requests via prototype pollution.\u003c/li\u003e\n\u003cli\u003eEnable detailed logging for HTTP requests and responses to facilitate the detection of unusual data modifications or suspicious network activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-axios-prototype-pollution/","summary":"Axios versions 0.19.0 through 1.13.6 are vulnerable to prototype pollution, allowing attackers to intercept and modify JSON responses, hijack HTTP requests, and exfiltrate sensitive data by polluting the Object.prototype with keys like `parseReviver` and `transport`.","title":"Axios Prototype Pollution Vulnerability Leads to Request Hijacking and Data Exfiltration","url":"https://feed.craftedsignal.io/briefs/2024-01-03-axios-prototype-pollution/"}],"language":"en","title":"CraftedSignal Threat Feed — Axios","version":"https://jsonfeed.org/version/1.1"}