CVE-2020-28168 Overview
CVE-2020-28168 is a Server-Side Request Forgery (SSRF) vulnerability affecting Axios, a popular promise-based HTTP client for Node.js and browsers. The vulnerability exists in Axios NPM package version 0.21.0 and earlier, where an attacker can bypass proxy configurations by providing a URL that responds with a redirect to a restricted host or IP address.
This SSRF vulnerability allows malicious actors to craft requests that circumvent intended proxy restrictions, potentially enabling access to internal network resources, cloud metadata services, or other protected endpoints that should not be directly accessible.
Critical Impact
Attackers can bypass proxy security controls to access internal network resources, potentially exposing sensitive internal services, cloud metadata endpoints, and restricted network segments.
Affected Products
- Axios NPM package versions prior to 0.21.1
- Siemens SINEC INS (all versions prior to patch)
- Siemens SINEC INS 1.0 SP1
Discovery Timeline
- 2020-11-06 - CVE-2020-28168 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-28168
Vulnerability Analysis
The SSRF vulnerability in Axios arises from improper handling of HTTP redirects when a proxy is configured. When an application uses Axios with a proxy setting to control outbound requests, the library fails to properly validate redirect destinations. This allows an attacker to provide an initial URL that passes proxy validation but returns an HTTP redirect (3xx status code) pointing to an internal or restricted host.
The vulnerable code path processes the redirect automatically without re-applying the proxy restrictions, effectively bypassing the security boundary. This is classified as CWE-918 (Server-Side Request Forgery), which represents a flaw where the application can be tricked into making requests to unintended destinations.
Root Cause
The root cause is the lack of redirect destination validation when proxy configurations are in place. Axios processes HTTP redirects by following them automatically, but the redirect handler does not verify whether the new destination URL should also be subject to proxy restrictions. This creates a bypass scenario where the initial request goes through the proxy, but subsequent redirected requests may not.
Attack Vector
The attack is executed over the network without requiring authentication or user interaction, though the attack complexity is considered high due to specific conditions that must be met:
- The target application must use Axios with a proxy configuration
- The attacker must control a remote server that can issue HTTP redirects
- The attacker's server must respond with a redirect to the desired internal target
An attacker would configure their external server to respond with an HTTP 301 or 302 redirect pointing to an internal resource such as http://169.254.169.254/latest/meta-data/ (AWS metadata service) or other internal endpoints. When the vulnerable Axios client follows this redirect, it bypasses the proxy and directly connects to the internal resource.
Detection Methods for CVE-2020-28168
Indicators of Compromise
- Outbound HTTP requests from applications that result in connections to internal IP ranges (10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x)
- Connections to cloud metadata endpoints (169.254.169.254) from web-facing applications
- HTTP redirect chains in application logs where initial external URLs lead to internal destinations
- Unexpected traffic patterns from Node.js applications to internal services
Detection Strategies
- Monitor network traffic for HTTP 3xx redirects that lead to internal IP addresses
- Implement egress filtering rules that alert on Node.js processes connecting to internal networks
- Review application dependencies for vulnerable Axios versions using npm audit or similar tools
- Deploy web application firewalls (WAF) configured to detect SSRF patterns
Monitoring Recommendations
- Enable detailed HTTP logging in proxy infrastructure to capture redirect chains
- Configure SIEM rules to correlate outbound HTTP requests with subsequent internal connections
- Implement application-level logging for all HTTP client operations
- Monitor cloud provider logs for metadata service access from application servers
How to Mitigate CVE-2020-28168
Immediate Actions Required
- Upgrade Axios to version 0.21.1 or later which contains the fix for this vulnerability
- Audit all Node.js applications for Axios dependency versions using npm list axios
- Review and update package-lock.json files to ensure patched versions are locked
- Apply Siemens security patches for SINEC INS deployments as outlined in the Siemens Security Advisory SSA-637483
Patch Information
The vulnerability is addressed in Axios version 0.21.1 and later releases. The fix ensures that proxy configurations are properly enforced across HTTP redirects, preventing the bypass scenario. Organizations should update their package.json to require axios >= 0.21.1 and run npm update to apply the patch.
For additional technical details on the vulnerability and fix, refer to the GitHub Issue Discussion.
Workarounds
- Disable automatic redirect following in Axios by setting maxRedirects: 0 in request configurations
- Implement application-level validation of redirect destinations before following them
- Deploy network segmentation to limit the impact of potential SSRF exploitation
- Configure firewall rules to block direct connections from application servers to sensitive internal services
# Update Axios to patched version
npm update axios
# Verify installed version
npm list axios
# Audit for known vulnerabilities
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
