CVE-2023-45857 Overview
An information disclosure vulnerability was discovered in Axios version 1.5.1 that inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host. This behavior allows attackers to view sensitive information that should only be shared with the intended origin server, potentially enabling cross-site request forgery attacks or session hijacking.
Critical Impact
The XSRF-TOKEN is leaked to any external host during cross-origin requests, potentially exposing sensitive session data and enabling attackers to bypass CSRF protections.
Affected Products
- Axios 1.5.1 for Node.js
- Applications and services utilizing the affected Axios library version
- NetApp products incorporating vulnerable Axios versions (see NetApp Security Advisory NTAP-20240621-0006)
Discovery Timeline
- 2023-11-08 - CVE-2023-45857 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-45857
Vulnerability Analysis
This vulnerability is classified under CWE-352 (Cross-Site Request Forgery). The core issue lies in how Axios handles XSRF tokens during HTTP requests. The library is designed to read the XSRF-TOKEN cookie and automatically include it as the X-XSRF-TOKEN header in requests. However, in the affected version, this behavior occurs indiscriminately for all requests regardless of the destination host.
When a web application makes requests to third-party domains or external APIs using Axios, the XSRF token—which is intended only for the original application's backend—is inadvertently transmitted to these external hosts. This creates a significant information disclosure vector where sensitive security tokens become visible to unintended parties.
Root Cause
The root cause stems from improper origin validation in the XSRF token handling logic. The Axios library fails to properly check whether the request destination matches the origin from which the XSRF-TOKEN cookie was set. This lack of same-origin enforcement means the protective token is broadcast to all hosts contacted by the application, violating the fundamental security principle that CSRF tokens should only be shared with their originating server.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker can exploit this vulnerability by setting up a malicious server and enticing a victim to visit a page that triggers Axios requests to the attacker's domain. When the victim's browser makes these requests through the vulnerable Axios library, the attacker's server receives the XSRF-TOKEN header, capturing the sensitive token.
This leaked token could then be used to:
- Bypass CSRF protections on the legitimate application
- Potentially hijack user sessions if the token is correlated with session management
- Gain insight into the application's security implementation
Technical details and community discussion regarding this vulnerability can be found in the GitHub Issue #6006.
Detection Methods for CVE-2023-45857
Indicators of Compromise
- Unexpected X-XSRF-TOKEN headers appearing in outbound requests to third-party domains
- XSRF tokens being logged by external services in request headers
- Anomalous cross-origin requests containing sensitive authentication headers
- Presence of Axios 1.5.1 in application dependencies (package.json or package-lock.json)
Detection Strategies
- Audit application dependencies for Axios version 1.5.1 using npm audit or equivalent package scanning tools
- Monitor network traffic for outbound requests containing X-XSRF-TOKEN headers to external domains
- Implement Software Composition Analysis (SCA) tools to identify vulnerable library versions in your codebase
- Review application logs for patterns indicating token leakage to unauthorized endpoints
Monitoring Recommendations
- Configure web application firewalls (WAF) to flag requests with XSRF tokens being sent to non-whitelisted domains
- Implement Content Security Policy (CSP) reporting to detect unexpected outbound connections
- Enable detailed logging for HTTP client libraries to capture header information in requests
- Set up alerting for dependency vulnerability scanners to notify when vulnerable Axios versions are detected
How to Mitigate CVE-2023-45857
Immediate Actions Required
- Update Axios to a patched version that properly restricts XSRF-TOKEN header transmission to same-origin requests
- Audit your application's use of Axios to identify all instances where cross-origin requests may leak tokens
- Consider implementing request interceptors to strip sensitive headers from cross-origin requests as a temporary measure
- Review and rotate XSRF tokens for any applications that may have been exposed
Patch Information
The vulnerability was reported and tracked in the Axios GitHub repository. Organizations should upgrade to a fixed version of Axios that addresses the improper XSRF token handling. Check the official Axios releases and changelog for the specific version containing the security fix. NetApp customers should also consult the NetApp Security Advisory for product-specific guidance.
Workarounds
- Implement a custom request interceptor to conditionally remove the X-XSRF-TOKEN header for cross-origin requests
- Configure Axios instances with withCredentials: false for requests to external domains where CSRF protection is not needed
- Use separate Axios instances for same-origin and cross-origin requests with different configurations
- Manually manage XSRF token headers instead of relying on Axios's automatic behavior
# Check for vulnerable Axios version in your project
npm list axios | grep "1.5.1"
# Update Axios to latest version
npm update axios
# Audit dependencies for known vulnerabilities
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
