## Axios HTTP Client Exposes XSRF Tokens in All Requests, Prompting Urgent Dependency Update
A critical security flaw in the widely used Axios HTTP client library has forced developers to scramble for updates. The vulnerability, tracked as CVE-2023-45857, inadvertently exposes the confidential XSRF-TOKEN stored in a user's cookies by automatically including it in the HTTP header for every request made to any host. This design flaw, present in versions 0.8.1 through 1.5.1, allows potential attackers to view sensitive authentication tokens, compromising user sessions and data integrity across countless web applications.

The issue was flagged in a GitHub repository via an automated security update pull request, which urgently recommended upgrading the dependency from version 0.21.4 to the patched version 0.31.0. The vulnerability carries a CVSS score of 6.5 (Medium), with an attack vector that is network-based and requires no privileges, though it does require user interaction. The automated alert highlights the pervasive risk, as Axios is a foundational package for making HTTP requests in the Node.js and browser ecosystems, embedded in millions of projects.

This exposure places immediate pressure on development and security teams to audit and update their dependencies. The flaw's mechanism—leaking a token designed to prevent cross-site request forgery in every outbound call—fundamentally undermines a core web security defense. While a patch is available, the widespread adoption of Axios means the window for exploitation remains significant until teams complete their upgrades, signaling a broad, silent vulnerability sweep across the software supply chain.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, software supply chain, vulnerability, CVE-2023-45857, npm
- **Credibility**: unverified
- **Published**: 2026-04-16 11:22:46
- **ID**: 67422
- **URL**: https://whisperx.ai/en/intel/67422