[GHSA-jr5f-v2jv-69x6] axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL

[vvalekk]

Updates

• CVSS v4
• Severity

Comments
Audit keeps reporting this as a vulnerability even when using 0.30.0. Probably because the patched in rule says ' >=1.8.2' instead of 0.30.0 when < 1.0

[github]

Hi there @jasonsaayman! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[sgleisner]

Version 0.30.0 was included as a patched version in #5411, and at least on my end, the audit is not showing the vulnerability when using 0.30.0.

Could it be a cache issue on your side, @vvalekk ?

[shelbyc]

Hi @vvalekk, as @sgleisner mentioned, 0.30.0 is listed as a patched version in GHSA-jr5f-v2jv-69x6. If you're having trouble with a Dependabot alert, you may need to reach out to http://support.github.com/. I'm closing this PR because issues with specific users' alerts are beyond the scope of advisory content concerns.