The axios CVE index
This page catalogues every known axios CVE, explains what each vulnerability was, and documents whether it applies to parcely -- and if not, which security defense prevents it.
CVE-2020-28168 — SSRF via redirect
What happened: axios followed HTTP redirects without validating the target URL. An attacker who controlled a redirect target could redirect requests to internal services (SSRF).
Applies to parcely? No.
Why not: parcely uses a manual redirect loop (row 4: maxRedirects: 5) and strips sensitive headers on cross-origin hops (row 3: cross-origin redirect header stripping). Redirects are bounded and monitored. The protocol allowlist (row 2: allowedProtocols: ['http:', 'https:']) prevents redirects to dangerous schemes like file:.
CVE-2021-3749 — ReDoS in header trimming
What happened: axios used a regular expression to trim whitespace from header values. Crafted input could cause catastrophic backtracking (Regular Expression Denial of Service).
Applies to parcely? No.
Why not: parcely uses the native Headers API (row 6: CRLF injection defense via native Headers API) for all header operations. No custom regex is used for header parsing or trimming. The platform implementation handles header validation efficiently.
CVE-2023-45857 — Cross-site cookie leakage on redirect
What happened: axios included the XSRF-TOKEN cookie header in cross-origin redirect requests. When a same-origin request redirected to a third-party host, the XSRF token was leaked.
Applies to parcely? No.
Why not: parcely strips sensitive headers (including cookie and any user-defined sensitiveHeaders) on cross-origin redirects (row 3: cross-origin redirect header stripping). The cookie header is in the default sensitive headers list and is removed whenever a redirect crosses origin boundaries.
CVE-2024-39338 — SSRF via absolute URL path override
What happened: axios allowed absolute URLs in the url parameter to override the configured baseURL, enabling SSRF attacks. For example, passing url: 'https://evil.com/path' with a configured baseURL would send the request to evil.com instead of the intended host.
Applies to parcely? No.
Why not: parcely rejects absolute URLs when baseURL is set (row 1: allowAbsoluteUrls: false). This includes protocol-relative URLs (//evil.com/path). An attempt to use an absolute URL throws HttpError with code: 'ERR_ABSOLUTE_URL'.
CVE-2024-57965 — Prototype pollution in config merging
What happened: axios's config merging logic did not sanitise keys like __proto__, constructor, or prototype. An attacker who could influence the config object (e.g., via user input passed to axios.create() or per-request config) could pollute Object.prototype.
Applies to parcely? No.
Why not: parcely's config merging uses an explicit allowlist copy (row 5: prototype-pollution-safe config merging). Only known RequestConfig keys are copied. __proto__, constructor, and prototype are stripped from all nested objects during merging.
CVE-2025-27152 — SSRF via protocol-relative URLs
What happened: A variant of CVE-2024-39338. Even after the initial fix, axios still allowed protocol-relative URLs (//evil.com/path) to override baseURL, enabling SSRF.
Applies to parcely? No.
Why not: parcely's absolute URL rejection (row 1: allowAbsoluteUrls: false) covers protocol-relative URLs. Any URL that does not start with / followed by a path character (i.e., URLs starting with //, http:, https:, etc.) is rejected when baseURL is configured. Combined with the protocol allowlist (row 2), even URLs with exotic schemes are blocked.
Summary table
| CVE | Vulnerability class | Mitigating defense row(s) | Applies? |
|---|---|---|---|
| CVE-2020-28168 | SSRF via redirect | Rows 2, 3, 4 | No |
| CVE-2021-3749 | ReDoS in headers | Row 6 | No |
| CVE-2023-45857 | Cookie leakage on redirect | Row 3 | No |
| CVE-2024-39338 | SSRF via absolute URL | Row 1 | No |
| CVE-2024-57965 | Prototype pollution | Row 5 | No |
| CVE-2025-27152 | SSRF via protocol-relative URL | Rows 1, 2 | No |