highCVSS 7.5|axios (npm)|

CVE-2024-39338Server-side request forgery (SSRF) in axios via protocol-relative URLs in path-relative requests.

Affected
>=1.3.2 <1.7.4
Patched in
1.7.4
Ecosystem
npm
npmssrfaxioshttp-clientsupply-chain

What's the vulnerability?

axios is the most-used HTTP client in the JavaScript ecosystem — north of 50 million weekly downloads on npm and a direct dependency in countless backends, CLIs, and serverless functions.

CVE-2024-39338 is a server-side request forgery (SSRF). When an axios client is configured with a baseURL and a request is made with a path-relative URL, axios >=1.3.2 and <1.7.4 mis-handles certain inputs (notably protocol-relative URLs like //attacker.example/) so the resulting request escapes the configured base and goes to a host the attacker controls. The CVSS 3.1 score is 7.5 (High), AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N — network reachable, no auth, no interaction, full confidentiality impact.

Realistic exploitation scenario

SSRF matters most in any service that:

  • Lets a user supply a path or partial URL that gets concatenated onto a server-side baseURL (avatar fetchers, webhook proxies, OG image scrapers, OAuth callback resolvers).
  • Runs inside a cloud network with reachable internal services — the AWS IMDS at 169.254.169.254, internal Kubernetes services, RDS, Redis, Elasticsearch, admin dashboards.

A path that looks innocuous like /users/123 is fine. A path like //169.254.169.254/latest/meta-data/iam/security-credentials/ becomes a request to AWS instance metadata — and on EC2 instances without IMDSv2 enforced, that returns the IAM role's temporary credentials. Game over.

Who's affected

Any service using axios >=1.3.2 <1.7.4 that:

  1. Constructs an axios instance with baseURL.
  2. Issues requests where any portion of the path comes from untrusted input.

The bug doesn't fire for fully-qualified absolute URLs — it's specifically the path-relative + protocol-relative interaction. If you're on 0.x axios you're not vulnerable to this CVE (you have other concerns), and >=1.7.4 is fixed.

How to detect it in your repo

# Direct + transitive
npm ls axios
pnpm why axios
yarn why axios

# Specifically look for vulnerable ranges
grep -nE 'axios@?1\.[3-6]\.|axios@?1\.7\.[0-3]' package-lock.json pnpm-lock.yaml yarn.lock 2>/dev/null

In code, search for SSRF-shaped patterns:

# baseURL combined with user-controlled paths
rg -n "axios.create" -A5 | rg "baseURL"
rg -n "axios\.get\(.*req\.(query|params|body)"

Any hit where req.* flows into the URL is worth a closer look — even after patching, that pattern deserves an explicit allow-list.

The advisory is GHSA-8hc4-vh64-cxmj.

The fix

Upgrade to [email protected] or later:

npm install axios@^1.7.4
# or
pnpm add axios@^1.7.4

If a transitive dependency pins an older axios, use overrides (npm/pnpm) or resolutions (yarn):

{
  "overrides": {
    "axios": "^1.7.4"
  }
}

Defence-in-depth: even after patching, validate user-supplied URL fragments. new URL(input, baseURL).origin === baseOrigin is a one-line allow-list that survives the next CVE in the chain.

Why this one stings

Axios is so embedded in Node.js codebases that "upgrade axios" sounds easy — until you find seventeen apps in your monorepo each pinning a slightly different version, plus three transitive copies dragged in by SDKs that haven't been updated since 2023. SSRF is also the kind of finding that bug-bounty hunters love: a single vulnerable endpoint on a cloud-hosted service can cascade into IAM credential theft, lateral movement, and a very bad week.

How RepoWarden handles this

RepoWarden treats high-severity SSRFs in popular packages as priority-one. For CVE-2024-39338 specifically:

  1. The lockfile scanner identifies every workspace that resolves a vulnerable axios — direct or transitive.
  2. PRs are opened per package.json, not per repo, so monorepos don't get a single mega-PR.
  3. The PR body links the GHSA, summarises the SSRF behaviour in plain English, and runs your full CI before it asks for review.
  4. Where a transitive parent hasn't released a fix, RepoWarden falls back to an overrides/resolutions patch that pins axios safely without forcing a broader upgrade.

You don't have to remember which repos use axios. RepoWarden already knows.

References

RepoWarden patches CVEs like this automatically.

Continuous scanning for npm dependencies, with PRs that ship the fix and pass your CI before you've finished reading the advisory.

Try it free →
← All CVEs