Donate Telegram

CVE-2024-57965

CRITICAL CVSS 3.1: 9.8 EPSS 0.09%

Jan 29, 2025

Updated Sep 19, 2025

Axios

Parameter	Value
CVSS	9.8 (CRITICAL)
Affected Versions	before 1.7.8
Fixed In	1.7.8
Type	CWE-346 (Origin Validation Error)
Vendor	Axios
Public PoC	No

In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute('href',href) call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and does not fix a vulnerability.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Privileges Required

None

No privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

High

Complete data leak

Integrity

High

Complete data modification

Availability

High

Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-346 Origin Validation Error

Vulnerable Products 1

Configuration	From (including)	Up to (excluding)
Axios Axios cpe:2.3:a:axios:axios::::::node.js::*	—	`1.7.8`

References 4

https://github.com/axios/axios/commit/0a8d6e19da5b9899a2abafaaa06a75ee548597db

https://github.com/axios/axios/issues/6351

https://github.com/axios/axios/pull/6714

https://github.com/axios/axios/releases/tag/v1.7.8

Share Post Share Share Share

Related Vulnerabilities

CVE-2025-62718

Axios

CVE-2025-27152

Axios

CVE Details

CVE ID

CVE-2024-57965

Published Date

Jan 29, 2025

Vendor

Axios

Severity

CRITICAL

CVSS v3.1 Score

9.8

Critical severity. Immediate action required.

Attack Analysis

Exploitability 3.9/10

How easy to exploit

Impact 5.9/10

Severity of consequences

Exploit Prediction (EPSS)

Probability of Exploit 0.09%

Likelihood of exploitation in next 30 days

Percentile: 25.1th percentile (higher than 25.1% of all CVEs)

Standard patching cycle

Impact

Full data disclosure

Complete data modification

Denial of Service

Source

Editor's Choice