CVE-2024-57965: 
Linux Debian vulnerability analysis and mitigation

In axios before version 1.7.8, there is a vulnerability in lib/helpers/isURLSameOrigin.js where the code does not use a URL object when determining an origin, and contains a potentially unwanted setAttribute('href',href) call (NVD, MITRE). The vulnerability was discovered and disclosed in January 2025, affecting all versions of axios prior to 1.7.8.

The vulnerability stems from the implementation in the isURLSameOrigin.js helper file where the code uses DOM manipulation via setAttribute('href',href) instead of the URL API for origin determination. This issue was identified through a security scan that flagged the potentially unsafe use of setAttribute (GitHub Issue). The vulnerability has been assigned a CVSS v3.1 base score of 0.0 NONE with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N (NVD).

The actual impact of this vulnerability is disputed. Some parties believe that the code change only addresses a warning message from a Static Application Security Testing (SAST) tool and does not fix a real security vulnerability (NVD).

The vulnerability has been fixed in axios version 1.7.8 by replacing the DOM-based origin determination with the URL API. Users are recommended to upgrade to version 1.7.8 or later to address this issue (GitHub PR, GitHub Release).