Github Warning | Potential security vulnerability found in the axios dependency

I have received the same message.

I gather that upgrading Axios to version 0.18 in package.json should fix the issue, or if your projects don't use Axios at all I assume that you can safely remove that reference altogether.

@GIANNIERRERA - removing axios afaik doesn't work since it is used for the csrf token. And an upgrade to v.018 doesn't work either since there's the same possible security vulnerability

@FREZNO - This is the body of one the several messages I have received, it states that it's a vulnerability regarding Axios <= 0.18

Known high severity security vulnerability detected in axios <= 0.18.0 defined in yarn.lock.

Since the latest version is 0.18 that is indeed a problem until someone fixes it.

Here is the related page on Github the status of the issue is currently open - the link doesn't work if not logged in.

https://github.com/CMMS/network/alert/yarn.lock/axios/open

yarn.lock 3 hours ago

Remediation

No patched version is available.

Details

CVE-2019-10742 More information

high severity

Vulnerable versions: <= 0.18.0

Patched version: No fix

Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.

Edit: running npm audit Node finds 3 high security issues in js-yaml.

I have found this

https://www.npmjs.com/advisories/813

It says to upgrade js-yaml to version 3.13.1, but I changed it so in package-lock.json, launched npm install and the vulnerabilities are still there, besides now I have 4 high vulnerabilities and not 3, so I introduced another one.

Upgrading in package-lock.json js-yaml version to 3.13.1 - there are different references, I just updated the main "js-yaml": { "version": - and running npm install fixed all but one issues.

Have you tried to update js-yaml to version 3.13.1? That did the trick for me.

By the way I have another project with js-yaml v. 3.13.0 and it didn't raise any warning.

As I understand it

a) version 0.18.0 is the latest release. It has the vulnerability

b) axios is mentioned in yarn.lock and package.json. If you don't have a front-end build process then axios v0.18.0 is still included in app.js that ships with Laravel

c) the vulnerability should not affect our client-server applications since its a denial of service attack and would have to originate from your own server and take out your client. The real threat is to people that build axios into their node servers

d) I'm surprised how badly supported axios is. It seems this has been known about for some time, but the supporters of the project seem unable to create a build that passes all tests. v0.19.0 has been in beta for about 10 months.

e) axios is not required for the csrf token

fyi, I sent a message to Taylor earlier today alerting him to this issue.

FYI - Axios 0.19.0 was released earlier today. You can do a yarn add [email protected] to install it. I've done it to a few sites and had no problems.

@SNAPEY -

e) axios is not required for the csrf token

i thought it does due to the comment in bootstrap.js

´ /**

• We'll load the axios HTTP library which allows us to easily issue requests
• to our Laravel back-end. This library automatically handles sending the
• CSRF token as a header based on the value of the "XSRF" token cookie. */ ´

@frezno No, its saying that its easy to send the csrf token with your ajax requests when using axios.

If you don't make any axios calls then its irrelevant.

@HOLLYIT - Does that fix the security vulnerability?

@snapey - Thank you for contacting Taylor. I will do some tests. Thank you all

Sorry for the delay. 0,19,0 does fix the vulnerability, but there's apparently some breaking changes in it. I haven't noticed what they are yet, and they haven't affected my projects. Just noticed on an issue. So they also released 0.18.1, which also addresses the vulnerability.