Sendgrid-nodejs: SSRF vulnerability in Axios

Created on 9 Nov 2020  路  5Comments  路  Source: sendgrid/sendgrid-nodejs

Issue Summary

The latest version of sendgrid-nodejs, 7.4.0 is using axios 0.19.2 which contains a Server Side Request Forgery (SSRF) vulnerability. Currently there's no patch available from axios. Please update sendgrid-nodejs whenever the fixes are available.

Axios tracking issue:
https://github.com/axios/axios/issues/3369

Vulnerability report from Snyk:
https://snyk.io/vuln/SNYK-JS-AXIOS-1038255

Technical details:

  • sendgrid-nodejs version: 7.4.0
  • node version: v14.12.0

Note

@sendgrid/mail will also need to be updated when fixes are available.

help wanted security
Source
picture huydoan2
👍3

Most helpful comment

fix has been published to npm as v7.4.1

picture jgravois on 7 Jan 2021
🎉52

All 5 comments

Thank you for reporting this @huydoan2!

thinkingserious picture thinkingserious on 12 Nov 2020

This vulnerability has since been fixed on [email protected]. Can you bump this dependency when you get a chance?

shackbarth picture shackbarth on 4 Jan 2021
👍2

Thanks @shackbarth. I create a pull request with changes to review here @thinkingserious https://github.com/sendgrid/sendgrid-nodejs/pull/1236

matt-catellier picture matt-catellier on 5 Jan 2021

Any update on this? Will be resolved by this merge request https://github.com/sendgrid/sendgrid-nodejs/pull/1239

matt-catellier picture matt-catellier on 6 Jan 2021

fix has been published to npm as v7.4.1

jgravois picture jgravois on 7 Jan 2021
🎉52
Was this page helpful?
0 / 5 - 0 ratings

Related issues

wooyah picture wooyah  路  4Comments
thinkingserious picture thinkingserious  路  4Comments
thidasapankaja picture thidasapankaja  路  4Comments
metalshan picture metalshan  路  3Comments
nicoasp picture nicoasp  路  3Comments