Server-Side Request Forgery in axios

[sobotkap10]

npm audit report

axios >=1.3.2
Severity: high
Server-Side Request Forgery in axios - GHSA-8hc4-vh64-cxmj

node_modules/axios
@inertiajs/core >=1.0.15
Depends on vulnerable versions of axios
node_modules/@inertiajs/core
@inertiajs/vue3 >=1.0.15
Depends on vulnerable versions of @inertiajs/core
node_modules/@inertiajs/vue3

3 high severity vulnerabilities

[RobertBoes]

There's pretty much nothing Inertia can do about this, since a fix for axios hasn't been released yet. Inertia's requirements would make it that the latest version is automatically installed

Also, the issue has to do with SSRF, so Inertia wouldn't be vulnerable, since it doesn't run on the server and therefor isn't susceptible to SSRF. Inertia only uses Axios client-side.

[ImSeaWorld]

Audits don't account for production, it defaults to development.
In the future, run this: npm audit --omit=dev

You'll (hopefully) get found 0 vulnerabilities

[ladiladi]

@RobertBoes axios has now released a fix for this in 1.7.4: https://github.com/axios/axios/releases/tag/v1.7.4

[RobertBoes]

@ladiladi A PR to update the dependency has been submitted here #1946

But Inertia's requirement of ^1.6.0 would be sufficient, as npm would install the latest version. So running npm update or npm audit fix in your app would upgrade it to 1.7.4, also giving 0 vulnerabilities regarding Axios when you'd run npm audit

[AlvesJorge]

Closed my PR #1946