Resource exhaustion in axios

#VU56963 Resource exhaustion in axios

Published: 2021-09-30

Vulnerability identifier: #VU56963

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-3749

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
axios
Web applications / Modules and components for CMS

Vendor: axios

Description

The vulnerability allows a remote attacker to perform a regular expression denial of service (ReDoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the isURLSearchParams function in utils.js. A remote attacker can send specially crafted data to the application and perform regular expression denial of service (ReDoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

axios: 0.1.0 - 0.21.1

External links
http://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929
http://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak System

Multiple vulnerabilities in Oracle GoldenGate

Multiple vulnerabilities in Siemens SINEC INS

Uncontrolled Resource Consumption in IBM Watson Discovery

Migration Toolkit for Containers (MTC) update for axios

Denial of service in axios