Fluid Attacks Database

Description

In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute('href',href) call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and does not fix a vulnerability.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	node-axios	=0.21.1+dfsg-1 \|\| =0.21.1+dfsg-1+deb11u1 \|\| =0.21.3+dfsg-1 \|\| =0.21.4+dfsg-1 \|\| =0.22.0+dfsg-1 \|\| =0.23.0+dfsg-1 \|\| =0.23.0+dfsg-2 \|\| =0.24.0+dfsg-1 \|\| =0.25.0+dfsg-1 \|\| =0.25.0+dfsg-2 \|\| =0.26.0+dfsg-1 \|\| =0.26.1+dfsg-1 \|\| =0.26.1+dfsg-2 \|\| =0.27.2+dfsg-1 \|\| =0.27.2+dfsg-2 \|\| =1.1.2+dfsg-1 \|\| =1.1.2+dfsg-2 \|\| =1.1.2+dfsg-3 \|\| =1.1.3+dfsg-1 \|\| =1.1.3+dfsg-2 \|\| =1.11.0+dfsg-1 \|\| =1.12.1+dfsg-1 \|\| =1.13.1+dfsg-1 \|\| =1.13.2+dfsg-1 \|\| =1.14.0+dfsg-1 \|\| =1.15.0-1 \|\| =1.15.2-1 \|\| =1.2.0+dfsg-1 \|\| =1.2.1+dfsg-1 \|\| =1.5.1+dfsg-1 \|\| =1.6.2+dfsg-1 \|\| =1.6.8+dfsg-1 \|\| =1.6.8+dfsg-2 \|\| =1.7.3+dfsg-1 \|\| =1.7.4+dfsg-1 \|\| =1.7.7+dfsg-1 \|\| =1.7.9+dfsg-1 \|\| =1.8.4+dfsg-1	-
debian 12	node-axios	=1.2.1+dfsg-1 \|\| >=0 <1.2.1+dfsg-1+deb12u1	1.2.1+dfsg-1+deb12u1
debian 13	node-axios	>=0 <1.7.9+dfsg-1	1.7.9+dfsg-1
debian 14	node-axios	>=0 <1.7.9+dfsg-1	1.7.9+dfsg-1

Aliases

1. CVE-2024-579652. NVD-2024-579653. OSV-DEBIAN-2024-579654. OSV-2024-579655. SECURITY-TRACKER-CVE-2024-57965

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.