Server-Side Request Forgery Vulnerability (CVE-2024-39338)

Problem

Describe the bug Axios is vulnerable to a Server-Side Request Forgery attack caused by unexpected behaviour where requests for path relative URLS gets processed as protocol relative URLs. This could be leveraged by an attacker to perform arbitrary requests from the server, potentially accessing internal systems or exfiltrating sensitive data. To Reproduce In this vulnerable code snippet, the developer intended to invoke a path relative to the base URL, however it allows an attacker to craft a malicious protocol-relative URL which is then requested by the server. Given protocol-relative URLs are not relevant server-side as there is no protocol to be relative to, the expected result would be an error. Instead, a valid URL is produced and requested. Example Vulnerable Code [code block] Expected Output (Prior to axios 1.3.2): [code block] Developer might also have expected: [code block] Observed Output: [code block] This behaviour is potentially unexpected and introduces the potential for attackers to request URLs on arbitrary hosts other than the host in the base URL. The code related to parsing and preparing the URL for server-side requests, prior to version 1.3.2, only passed one argument to the Node.js URL class. [code block] Version 1.3.2 introduced `http://localhost` as a base URL for relative paths (https://github.com/axios/axios/issues/5458) [code block] As protocol-relative URLs are considered to be absolute, the config.baseURL value is ignored so protocol-re