CVE-2024-57965

In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute(href,href) call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and does not fix a vulnerability.

Weakness

The product does not properly verify that the source of data or communication is valid.

Affected Software

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/111.html
• https://cwe.mitre.org/data/definitions/141.html
• https://cwe.mitre.org/data/definitions/142.html
• https://cwe.mitre.org/data/definitions/160.html
• https://cwe.mitre.org/data/definitions/21.html
• https://cwe.mitre.org/data/definitions/384.html
• https://cwe.mitre.org/data/definitions/385.html
• https://cwe.mitre.org/data/definitions/386.html
• https://cwe.mitre.org/data/definitions/387.html
• https://cwe.mitre.org/data/definitions/388.html
• https://cwe.mitre.org/data/definitions/510.html
• https://cwe.mitre.org/data/definitions/59.html
• https://cwe.mitre.org/data/definitions/60.html
• https://cwe.mitre.org/data/definitions/75.html
• https://cwe.mitre.org/data/definitions/76.html
• https://cwe.mitre.org/data/definitions/89.html

References

• https://github.com/axios/axios/commit/0a8d6e19da5b9899a2abafaaa06a75ee548597db
• https://github.com/axios/axios/issues/6351
• https://github.com/axios/axios/pull/6714
• https://github.com/axios/axios/releases/tag/v1.7.8