Open nl-brett-stime opened 8 months ago
Hi @nl-brett-stime, thank you for bringing this matter to our attention.
Axios version >= 1.x has a bug in the proxy that’s currently blocking our upgrade. You can find more details here: https://github.com/axios/axios/issues/4840.
CVE-2023-45857 isn’t applicable in jfrog-client-js because it involves an XSRF token leaking into headers only when using a web browser. Our client doesn’t handle web browser requests, only REST APIs. The mitigation of CVE-2023-45857 kicks in only when isStandardBrowserEnv
is true.
Once Axios resolves the proxy issue, i.e., after one of the following occurrences:
Merging of https://github.com/axios/axios/pull/6091 into v0 Resolution of https://github.com/axios/axios/issues/4840 in v1
we'll proceed with the upgrade to the "fixed version".
Hi @attiasas , axios v0.28.0 was released last week. This version includes https://github.com/axios/axios/pull/6091. You can proceed with releasing a new version with the fix for CVE-2023-45857
Is there any update/ETA on this being resolved?
@jvillanuevabt As mentioned above by @attiasas , the CVE is not applicable. So, this is considered a low priority. Please let me know if you have any concerns.
@jvillanuevabt As mentioned above by @attiasas , the CVE is not applicable. So, this is considered a low priority. Please let me know if you have any concerns.
I understand, my only concern is leaving a known vulnerable dependency unpatched indefinitely given it is considered good practice to update dependencies whenever possible. Of course there is no rush but I was hoping for an ETA on when that update will happen.
Getting a security ding because of our dependence on jfrog-client-js: