High Severity: axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL

[elawad]

Hello,
We're seeing a high audit alert on CloudConvert, which uses Axios version 0.28.1.

CloudConvert version: 2.3.7

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ axios Requests Vulnerable To Possible SSRF and Credential    │
│               │ Leakage via Absolute URL                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ axios                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.8.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cloudconvert                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cloudconvert > axios                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1102472                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

Could this possibly be patched up.
Thank you.

[josiasmontag]

From the advisory:

Affected Users: Software that uses baseURL and does not validate path parameters is affected by this issue.

This SDK only uses hardcoded paths, so it is not affected by this vulnerability.

[elawad]

Thanks for clarifying @josiasmontag

To give some background: many companies (like ours) have security audits that automatically flag these issues.
And the audits are solely based on version #.

Just giving more context, to help reduce noise & similar issues.

---

I saw in issue #111 there's some talk to remove axios via #112.