Closed LucianBuzzo closed 6 months ago
Hi - thank you for the PR. Unfortunately, this code is auto-generated and we'll need to upgrade the typescript generator. Will do that over the next couple of days!
Hey @LucianBuzzo, We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an axios 0.27.2-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.
If relevant, check out our GitHub repo if you wish to learn more, or start using our app.
Please feel free to reach us at info@seal.security if you have any requests/questions.
@aeneasr Ok cool, Where is the source for the typescript generator?
Axios is also getting PRs for a 0.x fix such as https://github.com/axios/axios/pull/6091
Closing as per https://github.com/ory/sdk/pull/303#issuecomment-1812111204
This fixes https://nvd.nist.gov/vuln/detail/CVE-2023-45857 which is an issue discovered in Axios 0.8.1 through 1.5.1 that inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.