Threat Intelligence

Live CVE feed

299 threats tracked across 7 launch stacks — sourced from NVD, GHSA, CISA KEV, OSV, npm Audit, and EPSS.

32threats · NestJS· page 2/2
Get guardrails →
8 rules

Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF

Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. According to RFC 1034 §3.1 and RFC 3986 §3.2.2, a hostname can have a trailing dot to show it is a fully qualified domain name (FQDN). At the DNS level, localhost. is the same as localhost. However, Axios does a literal string comparison instead of normalizing hostnames before checking NO_PROXY. This causes requests like http://localhost.:8080/ and http://[::1]:8080/ to be incorrectly proxied. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. --- PoC ``js import http from "http"; import axios from "axios"; const proxyPort = 5300; http.createServer((req, res) => { console.log("[PROXY] Got:", req.method, req.url, "Host:", req.headers.host); res.writeHead(200, { "Content-Type": "text/plain" }); res.end("proxied"); }).listen(proxyPort, () => console.log("Proxy", proxyPort)); process.env.HTTP_PROXY = http://127.0.0.1:${proxyPort}; process.env.NO_PROXY = "localhost,127.0.0.1,::1"; async function test(url) { try { await axios.get(url, { timeout: 2000 }); } catch {} } setTimeout(async () => { console.log("\n[] Testing http://localhost.:8080/"); await test("http://localhost.:8080/"); // goes through proxy console.log("\n[] Testing http://[::1]:8080/"); await test("http://[::1]:8080/"); // goes through proxy }, 500); ` Expected: Requests bypass the proxy (direct to loopback). Actual: Proxy logs requests for localhost. and [::1]. --- Impact Applications that rely on NO_PROXY=localhost,127.0.0.1,::1 for protecting loopback/internal access are vulnerable. Attackers controlling request URLs can: Force Axios to send local traffic through an attacker-controlled proxy. Bypass SSRF mitigations relying on NO\_PROXY rules. Potentially exfiltrate sensitive responses from internal services via the proxy. --- Affected Versions Confirmed on Axios 1.12.2 (latest at time of testing). affects all versions that rely on Axios’ current NO_PROXY evaluation. --- Remediation Axios should normalize hostnames before evaluating NO_PROXY`, including: Strip trailing dots from hostnames (per RFC 3986). Normalize IPv6 literals by removing brackets for matching.

OWASP A10OWASP Web
Get guardrail →

axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL

Summary A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery). Reference: axios/axios#6463 A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. ##

OWASP A10OWASP Web
Get guardrail →
10 rules

Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions

Impact Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. Patches This issue is patched on 4.17.23.

OWASP A03OWASP Web
Get guardrail →
2 rules

nest allows a remote attacker to execute arbitrary code via the Content-Type header

File Upload vulnerability in nestjs nest prior to v.11.0.16 allows a remote attacker to execute arbitrary code via the Content-Type header.

OWASP A03OWASP Web
Get guardrail →
8 rules

Axios Cross-Site Request Forgery Vulnerability

An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

OWASP A08OWASP Web
Get guardrail →
2 rules

@nestjs/core vulnerable to Information Exposure via StreamableFile pipe

Versions of the package @nestjs/core before 9.0.5 are vulnerable to Information Exposure via the StreamableFile pipe. Exploiting this vulnerability is possible when the client cancels a request while it is streaming a StreamableFile, the stream wrapped by the StreamableFile will be kept open.

LLM02 · Insecure OutputOWASP Web
Get guardrail →
6 rules

jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC

Overview Versions <=8.5.1 of jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function (referring to the secretOrPublicKey argument from the readme link) will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. Am I affected? You will be affected if your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. How do I fix it? Update to version 9.0.0. Will the fix impact my users? There is no impact for end users

OWASP A07OWASP Web
Get guardrail →
6 rules

jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()

Overview In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. Am I affected? You will be affected if all the following are true in the jwt.verify() function: a token with no signature is received no algorithms are specified a falsy (e.g. null, false, undefined) secret or key is passed How do I fix it? Update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method. Will the fix impact my users? There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.

OWASP A02OWASP A07OWASP Web
Get guardrail →

jsonwebtoken unrestricted key type could lead to legacy keys usage

Overview Versions <=8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. Am I affected? You are affected if you are using an algorithm and a key type other than the combinations mentioned below | Key type | algorithm | |----------|------------------------------------------| | ec | ES256, ES384, ES512

OWASP A02OWASP Web
Get guardrail →

axios Inefficient Regular Expression Complexity vulnerability

axios before v0.21.2 is vulnerable to Inefficient Regular Expression Complexity.

OWASP A06LLM10OWASP Web
Get guardrail →
10 rules

Regular Expression Denial of Service (ReDoS) in lodash

All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): ``js var lo = require('lodash'); function build_blank(n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0); var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1); var time2 = Date.now(); lo.trimEnd(s); var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2); ``

OWASP A06LLM10OWASP Web
Get guardrail →

Showing 2132 of 32 threats