fix(CSRF): fixed CSRF vulnerability CVE-2023-45857 (#6028)

Co-authored-by: DigitalBrainJS <robotshara@gmail.com>
2026-06-20 20:00:40 +03:00 · 2023-10-26 21:54:06 +02:00
parent 7d45ab2e2a
commit 96ee232bd3
2 changed files with 4 additions and 4 deletions
@@ -188,8 +188,8 @@ export default isXHRAdapterSupported && function (config) {
    // Specifically not if we're in a web worker, or react-native.
    if (platform.isStandardBrowserEnv) {
      // Add xsrf header
-      const xsrfValue = (config.withCredentials || isURLSameOrigin(fullPath))
+      // regarding CVE-2023-45857 config.withCredentials condition was removed temporarily
-        && config.xsrfCookieName && cookies.read(config.xsrfCookieName);
+      const xsrfValue = isURLSameOrigin(fullPath) && config.xsrfCookieName && cookies.read(config.xsrfCookieName);
      if (xsrfValue) {
        requestHeaders.set(config.xsrfHeaderName, xsrfValue);
@@ -67,7 +67,7 @@ describe('xsrf', function () {
    });
  });
-  it('should set xsrf header for cross origin when using withCredentials', function (done) {
+  it('should not set xsrf header for cross origin when using withCredentials', function (done) {
    document.cookie = axios.defaults.xsrfCookieName + '=12345';
    axios('http://example.com/', {
@@ -75,7 +75,7 @@ describe('xsrf', function () {
    });
    getAjaxRequest().then(function (request) {
-      expect(request.requestHeaders[axios.defaults.xsrfHeaderName]).toEqual('12345');
+      expect(request.requestHeaders[axios.defaults.xsrfHeaderName]).toEqual(undefined);
      done();
    });
  });