52 matches found
CVE-2025-66035 Angular HTTP Client Has XSRF Token Leakage via Protocol-Relative URLs
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential...
CVE-2024-14006
Nagios XI versions prior to 2024R1.2.2 contain a host header injection vulnerability. The application trusts the user-supplied HTTP Host header when constructing absolute URLs without sufficient validation. An unauthenticated, remote attacker can supply a crafted Host header to poison generated...
EUVD-2021-1397
Malware in sbrugna...
EUVD-2025-7731
Malicious code in bioql PyPI...
EUVD-2025-26876
Malicious code in bioql PyPI...
Security Bulletin: Axios before 1.8.2 allows SSRF and credential leakage when using absolute URLs despite baseURL setting
Summary axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This...
Server-Side Request Forgery (SSRF)
Axios is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper handling of absolute URLs, which causes axios to send requests directly to the specified absolute URL instead of respecting the baseURL, potentially leading to SSRF and exposing sensitive credentials...
Server-side Request Forgery (SSRF)
Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF due to not setting allowAbsoluteUrls to false by default when processing a requested URL in buildFullPath. It may not be...
Server-side Request Forgery (SSRF)
Overview org.webjars.bowergithub.axios:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF due to not setting allowAbsoluteUrls to false by default when processing a requested URL in buildFullPath. ...
CVE-2025-27152
axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue...
CVE-2025-27152
axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue...
DEBIAN-CVE-2025-27152
axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue...
Axios 代码问题漏洞
Axios is an HTTP client based on Promise a solution for asynchronous programming from the Axios open source. A code issue vulnerability exists in Axios versions prior to 1.8.2 that stems from passing absolute URLs could lead to SSRF and credential disclosure...
Server-side Request Forgery (SSRF)
Overview org.webjars.bowergithub.axios:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF due to the allowAbsoluteUrls attribute being ignored in the call to the buildFullPath function from the HTT...
Server-side Request Forgery (SSRF)
Overview org.webjars.bower:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF due to the allowAbsoluteUrls attribute being ignored in the call to the buildFullPath function from the HTTP adapter. A...
Server-side Request Forgery (SSRF)
Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF due to the allowAbsoluteUrls attribute being ignored in the call to the buildFullPath function from the HTTP adapter. An...
Better Auth allows bypassing the trustedOrigins Protection which leads to ATO
Summary A bypass was discovered in the trustedOrigins validation logic—affecting both absolute URL entries and wildcard domain patterns. This flaw allows an attacker to construct a malicious callbackURL that passes origin checks and triggers an open redirect. Because redirect endpoints include...
GHSA-MXJF-HC9V-XGV2 ExtJS JavaScript framework used in TYPO3 vulnerable to Cross-site Scripting
Failing to properly validate the HTTP host-header TYPO3 CMS is susceptible to host spoofing. TYPO3 uses the HTTP host-header to generate absolute URLs in several places like 404 handling, https enforcement, password reset links and many more. Since the host header itself is provided by the client...
ExtJS JavaScript framework used in TYPO3 vulnerable to Cross-site Scripting
Failing to properly validate the HTTP host-header TYPO3 CMS is susceptible to host spoofing. TYPO3 uses the HTTP host-header to generate absolute URLs in several places like 404 handling, https enforcement, password reset links and many more. Since the host header itself is provided by the client...
GHSA-3WFP-253J-5JXV SSRF & Credentials Leak
Summary nuxt-api-party allows developers to proxy requests to an API without exposing credentials to the client. A previous vulnerability allowed an attacker to change the baseURL of the request, potentially leading to credentials being leaked or SSRF. This vulnerability is similar, and was cause...