PackageFix / CISA KEV / CVE-2023-45857

CVE-2023-45857 — Axios SSRF HIGH

🔴 CISA KEV npm CVSS 8.8 · axios < 1.6.0 → 1.7.4

Axios incorrectly follows protocol-relative URLs (//example.com) when XSRF tokens are present, potentially leaking sensitive data to attacker-controlled servers. Applications that use axios with XSRF protection and allow user-controlled redirect targets are vulnerable.

🔴 Actively Exploited

CVE-2023-45857 is on the CISA Known Exploited Vulnerabilities catalog. This is not a theoretical risk — it is being used in real attacks right now. Fix immediately.

What's affected

PackageEcosystemVulnerableSafe versionFix guide
axios npm < 1.6.0 1.7.4 Full fix guide →

How to fix CVE-2023-45857

  1. Update axios to 1.6.0 or later (1.7.4 recommended)
  2. Run npm install
  3. Review any code that passes user-controlled URLs to axios
✓ Verify with PackageFix

Paste your manifest into PackageFix to confirm the fix was applied. If CVE-2023-45857 no longer appears in the CVE table, you're clean.

Paste your manifest — get back a fixed version with all CVEs patched in seconds.

Open PackageFix →

No signup · No CLI · No GitHub · Runs 100% in your browser

Frequently Asked Questions

What is SSRF?
Server-Side Request Forgery allows an attacker to cause the server to make HTTP requests to attacker-controlled destinations, potentially exposing internal services or credentials.
Does this affect all axios users?
The vulnerability requires XSRF tokens to be in use and a protocol-relative URL to be followed. If you use axios with XSRF protection, update immediately.
What version of axios should I use?
1.7.4 is the current safe version as of March 2026.

Related

All CISA KEV Packages

Full actively exploited list

Fix axios — Full Guide

npm fix with config examples

Supply Chain Attack Guide

5 attacks npm audit misses

Weekly CVE Digest

This week's critical CVEs