## Axios v1 Security Update: Critical XSRF Token Leak Vulnerability (CVE-2023-45857) Exposed
A critical security vulnerability in the widely-used Axios HTTP client library has been flagged, exposing confidential XSRF tokens in every outgoing request. The flaw, tracked as CVE-2023-45857, affects versions 0.8.1 through 1.5.1. The vulnerability causes the library to inadvertently include the sensitive `X-XSRF-TOKEN` header, derived from stored cookies, in requests made to *any* host. This design flaw effectively broadcasts a key anti-forgery token, potentially allowing attackers to intercept and view sensitive information intended to be protected.

The issue is central to a dependency update pull request moving a project from Axios `^0.27.2` to `^1.0.0`. The automated update, managed by RenovateBot, highlights the age and confidence metrics of the new version. The security alert explicitly warns that the vulnerability enables attackers to see the confidential token, compromising the security mechanism designed to prevent Cross-Site Request Forgery (CSRF) attacks. The presence of a second, future-dated CVE-2026-25639 in the truncated report suggests ongoing or anticipated security scrutiny for the library.

This vulnerability places thousands of dependent applications and services at immediate risk. Any system using the affected Axios versions to communicate with APIs is potentially leaking authentication tokens. The automated security update push underscores the persistent pressure on development teams to promptly patch foundational dependencies. The flaw's nature—leaking a token on every request—signals a systemic weakness that requires urgent attention to prevent credential harvesting and session hijacking across the software supply chain.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, software supply chain, vulnerability, CVE-2023-45857, npm
- **Credibility**: unverified
- **Published**: 2026-04-10 14:23:04
- **ID**: 59076
- **URL**: https://whisperx.ai/en/intel/59076