CVE-2023-45857: 
JavaScript vulnerability analysis and mitigation

An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host, allowing attackers to view sensitive information. The vulnerability was assigned CVE-2023-45857 and was disclosed on November 8, 2023. This security flaw affects Axios version 1.5.1 and potentially earlier versions (NVD).

The vulnerability occurs when Axios includes the XSRF-TOKEN cookie value in the X-XSRF-TOKEN header for all requests, regardless of the destination host. This behavior happens when the withCredentials setting is enabled in the Axios configuration. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) and is classified under CWE-352 (Cross-Site Request Forgery) (NVD).

The vulnerability allows attackers to view sensitive CSRF token information, which could potentially lead to bypassing CSRF protection mechanisms. When exploited, this could enable malicious actors to perform unauthorized actions on behalf of authenticated users. The exposure of the XSRF token compromises the security measure designed to prevent cross-site request forgery attacks (GitHub Issue).

The current effective solution is to change the default XSRF-TOKEN cookie name in the Axios configuration and manually include the corresponding header only in specific places where it's necessary. This prevents the automatic disclosure of the token to unauthorized third-party hosts (GitHub Issue).