CVE-2024-39338 Overview
CVE-2024-39338 is a Server-Side Request Forgery (SSRF) vulnerability in the axios HTTP client library version 1.7.2. The flaw allows attackers to redirect requests by exploiting unexpected URL parsing behavior. Path-relative URLs supplied to axios are processed as protocol-relative URLs. An attacker who controls the request path can force the library to send requests to an arbitrary host. The vulnerability is tracked under CWE-918: Server-Side Request Forgery and primarily impacts Node.js applications that pass user-controlled input into axios request paths.
Critical Impact
Remote attackers can coerce vulnerable axios clients to issue HTTP requests to attacker-controlled or internal hosts, exposing sensitive data and internal services.
Affected Products
- axios 1.7.2 (Node.js)
- Applications bundling axios 1.7.2 as a dependency
- Server-side JavaScript projects using axios for outbound HTTP requests
Discovery Timeline
- 2024-08-12 - CVE-2024-39338 published to NVD
- 2024-08-23 - Last updated in NVD database
Technical Details for CVE-2024-39338
Vulnerability Analysis
The vulnerability resides in how axios 1.7.2 resolves request URLs on the Node.js adapter. When a developer issues a request with what appears to be a path-relative URL, axios interprets the input as a protocol-relative URL. Protocol-relative URLs begin with // and inherit the scheme from the parent context. The library follows the embedded host rather than appending the path to the configured baseURL. An attacker who can influence the path argument can therefore divert outbound requests to a host of their choosing. The result is a classic SSRF condition with high confidentiality impact and no required privileges or user interaction.
Root Cause
The root cause is improper URL normalization within the axios request building logic on the Node.js HTTP adapter. The library fails to distinguish between a path beginning with / and a network-path reference beginning with //. RFC 3986 treats //host/path as a network-path reference that overrides the base authority. Axios processes such input as a valid target rather than treating it as a relative path under baseURL.
Attack Vector
Exploitation requires an application that forwards user-controlled input into the axios request path while relying on a fixed baseURL for safety. An attacker submits input such as //attacker.example.com/resource where the application expects a path like /resource. The Node.js adapter then issues the outbound request to attacker.example.com instead of the trusted base host. This enables reconnaissance of internal services, theft of authorization headers attached by the client, and pivoting against cloud metadata endpoints. Refer to the Jeff Hacks CVE-2024-39338 Advisory for detailed reproduction notes.
Detection Methods for CVE-2024-39338
Indicators of Compromise
- Outbound HTTP requests from application servers to unexpected external hosts that do not match the configured baseURL.
- Application logs showing axios request paths beginning with // or containing embedded authority components.
- Unexpected requests to cloud metadata endpoints such as 169.254.169.254 originating from Node.js services.
- Authorization headers or session cookies appearing in traffic destined for untrusted hosts.
Detection Strategies
- Inspect application source and dependency manifests for axios@1.7.2 using software composition analysis tooling.
- Add server-side logging that records the fully resolved URL of every axios request before transmission.
- Implement egress proxy rules that flag outbound requests whose host does not match an allowlist of approved destinations.
- Review HTTP request paths reaching application endpoints for inputs starting with // or containing ://.
Monitoring Recommendations
- Forward egress firewall and proxy logs to a centralized analytics platform for correlation with application activity.
- Alert on outbound connections from backend services to internal RFC1918 ranges or cloud metadata IPs.
- Track anomalous spikes in DNS lookups initiated by Node.js application processes.
How to Mitigate CVE-2024-39338
Immediate Actions Required
- Upgrade axios to a fixed release later than 1.7.2 as listed in the GitHub Axios Release Notes.
- Audit all code paths that pass user-supplied data into axios url or path arguments.
- Validate that every request URL begins with a single / and reject inputs containing // or a scheme prefix.
- Restrict outbound network egress from application servers to an explicit allowlist of trusted hosts.
Patch Information
The axios maintainers addressed the SSRF behavior in releases following 1.7.2. Consult the GitHub Axios Release Notes for the specific fixed version and changelog entries. Update package manifests with npm install axios@latest or pin to a known-good version, then rebuild and redeploy affected services.
Workarounds
- Normalize incoming path parameters server-side by stripping leading slashes before concatenating them with baseURL.
- Use the WHATWG URL constructor to validate that the resolved request target matches the expected origin.
- Apply an outbound proxy or service mesh policy that blocks requests to hosts outside the approved list.
# Configuration example
npm install axios@latest
npm ls axios
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
