aws-sdk-js-v3
aws-sdk-js-v3 copied to clipboard
aws
NPM audit fails for anything depending on aws-crt and axios / CVE-2024-39338
Checkboxes for prior research
- [X] I've gone through Developer Guide and API reference
- [X] I've checked AWS Forums and StackOverflow.
- [X] I've searched for previous similar issues and didn't find any solution.
Describe the bug
npm audit fails when you depend on packages which use aws-crt, because aws-crt depends on a vulnerable version of axios.
CVE for axios: https://github.com/advisories/GHSA-8hc4-vh64-cxmj
SDK version number
@aws-sdk/[email protected]
Which JavaScript Runtime is this issue in?
Node.js
Details of the browser/Node.js/ReactNative version
v20.10.0
Reproduction Steps
npm install @aws-sdk/client-dynamodb
npm audit
npm ls axios
├─┬ @aws-sdk/[email protected]
│ └─┬ @aws-sdk/[email protected]
│ └─┬ [email protected]
│ └── [email protected]
Observed Behavior
axios >=1.3.2
Severity: high
Server-Side Request Forgery in axios - https://github.com/advisories/GHSA-8hc4-vh64-cxmj
fix available via `npm audit fix`
node_modules/axios
aws-crt >=1.19.0
Depends on vulnerable versions of axios
node_modules/aws-crt
2 high severity vulnerabilities
Expected Behavior
Expect to have no vulnerabilities.
Possible Solution
No response
Additional Information/Context
Issue in axios repository: https://github.com/axios/axios/issues/6463
Hi @terozio - thanks for reporting.
I'm reaching out to AWS CRT team to address this. Upon checking the current version of axios used in aws-crt, it's specified as ^1.7.2, which means it should be compatible with versions up to the latest patch release.
In the meantime, while we wait for the aws-crt maintainers to address this vulnerability, you can update the axios version in your project's package-lock.json file to the latest patched version (1.7.4), which should resolve the vulnerability.
For those who come across this issue, the recommended solution is to manually update the axios version in your package-lock.json file to 1.7.4 until the aws-crt maintainers release an updated version with a non-vulnerable axios dependency.
aws-crt-nodejs was updated in this PR: https://github.com/awslabs/aws-crt-nodejs/pull/571 When this sdk updates it's dependency of aws-crt-nodejs to v1.21.5, then this vulnerability will be patched.
This has been addressed and fixed in https://github.com/awslabs/aws-crt-nodejs/pull/571. Closing now.
This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.