[XRAY-11506] Axios - CVE-2025-27152 - Xblend Issue Tracker

Xporter

XML

Word

Printable

Details

Type: Bug
Status: Code Review
Priority: Critical
Resolution: Unresolved
Affects Version/s: Xray DC 8.2.3
Fix Version/s: Continuous Delivery
Component/s: Security
Labels:
- security-ext
Environment:

We should update both the webjar and npm package.

No current risk. Not exploitable.

Just for hygiene.

Requirement Status:

UNCOVERED

Description

Overview

The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios.

Affected Package

Axios@1.7.7

Remediation

Upgrade to axios to 1.8.2 or 1.12.0

Attachments

Issue Links

implements: SEC-196 Loading...

Activity

People

Assignee:: Paulo Pereira

Reporter:: Raza Mehmood

Votes:: 1 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 14/Jan/26 12:05 PM

Updated:: 6 days ago 6:38 PM