CSRF Vulnerability in axios via [email protected] and Loopback-Connector-MSSQL

[Koyyataman]

Steps to reproduce

1. Use the [email protected] package with [email protected], which in turn uses [email protected].
2. This package relies on [email protected], which is affected by a CSRF vulnerability.
3. Enable withCredentials setting, and if the X-XSRF-TOKEN header is inserted using the secret XSRF-TOKEN cookie value, CSRF vulnerability is triggered.

Current Behavior

The vulnerability is introduced through the dependency chain:
[email protected] > [email protected] > [email protected] > [email protected] > @azure/[email protected] > [email protected] > [email protected].

When the XSRF-TOKEN cookie is available and withCredentials is enabled, the X-XSRF-TOKEN header is automatically sent in requests to the server. This can potentially bypass CSRF protections if an attacker manages to obtain this token.

Expected Behavior

• The package mssql should be updated to 11.0.1 or a version that resolves the CSRF vulnerability.
• There should be an update to axios to address the CSRF issue by improving the handling of X-XSRF-TOKEN and XSRF-TOKEN cookies.

Link to reproduction sandbox

N/A

Additional information

• node -e 'console.log(process.platform, process.arch, process.versions.node)'
  Output: <platform info>
• npm ls --prod --depth 0 | grep loopback
  Output: <dependency tree info>

Related Issues

No related issues found.

---

Note: The issue is related to the CSRF vulnerability in [email protected]. The fix would require an update to the mssql dependency to resolve the security issue introduced by axios.

[dhmlau]

@Koyyataman, would you like to submit a PR for the fix?
We probably need to fix the CI first. @achrinza has a PR #242 to enable CI, but there hasn't been recent activities.