NPM audit fails for anything depending on aws-crt and axios / CVE-2024-39338

[terozio]

Checkboxes for prior research

• I've gone through Developer Guide and API reference
• I've checked AWS Forums and StackOverflow.
• I've searched for previous similar issues and didn't find any solution.

Describe the bug

npm audit fails when you depend on packages which use aws-crt, because aws-crt depends on a vulnerable version of axios.

CVE for axios: GHSA-8hc4-vh64-cxmj

SDK version number

@aws-sdk/client-dynamodb@3.629

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

v20.10.0

Reproduction Steps

npm install @aws-sdk/client-dynamodb

npm audit

npm ls axios

├─┬ @aws-sdk/client-dynamodb@3.629.0
│ └─┬ @aws-sdk/util-user-agent-node@3.614.0
│   └─┬ aws-crt@1.21.3
│     └── axios@1.7.3 

Observed Behavior

axios  >=1.3.2
Severity: high
Server-Side Request Forgery in axios - https://github.com/advisories/GHSA-8hc4-vh64-cxmj
fix available via `npm audit fix`
node_modules/axios
  aws-crt  >=1.19.0
  Depends on vulnerable versions of axios
  node_modules/aws-crt

2 high severity vulnerabilities

Expected Behavior

Expect to have no vulnerabilities.

Possible Solution

No response

Additional Information/Context

Issue in axios repository: axios/axios#6463

[aBurmeseDev]

Hi @terozio - thanks for reporting.

I'm reaching out to AWS CRT team to address this. Upon checking the current version of axios used in aws-crt, it's specified as ^1.7.2, which means it should be compatible with versions up to the latest patch release.

In the meantime, while we wait for the aws-crt maintainers to address this vulnerability, you can update the axios version in your project's package-lock.json file to the latest patched version (1.7.4), which should resolve the vulnerability.

For those who come across this issue, the recommended solution is to manually update the axios version in your package-lock.json file to 1.7.4 until the aws-crt maintainers release an updated version with a non-vulnerable axios dependency.

[jmklix]

aws-crt-nodejs was updated in this PR: awslabs/aws-crt-nodejs#571
When this sdk updates it's dependency of aws-crt-nodejs to v1.21.5, then this vulnerability will be patched.

[aBurmeseDev]

This has been addressed and fixed in awslabs/aws-crt-nodejs#571. Closing now.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.