CVE-2024-39338

HIGH

axios 1.3.2-1.7.3 - Server-Side Request Forgery via Path Relative URL Processing

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-39338. PoCs published by AikidoSec.

AI-analyzed exploit summary This repository contains functional exploit PoCs for multiple CVEs, including a JavaScript injection vulnerability (AIKIDO-2026-10165) and a path traversal vulnerability (CVE-2014-3744). The PoCs demonstrate both vulnerable and protected scenarios using the Aikido Zen Firewall.

Description

axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

Exploits (1)

github WORKING POC 6 stars
by AikidoSec · javascriptpoc
https://github.com/AikidoSec/zen-0-days/tree/main/node/CVE-2024-39338

This repository contains functional exploit PoCs for multiple CVEs, including a JavaScript injection vulnerability (AIKIDO-2026-10165) and a path traversal vulnerability (CVE-2014-3744). The PoCs demonstrate both vulnerable and protected scenarios using the Aikido Zen Firewall.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Node.js applications using @enspirit/elo and st modules
No auth needed
Prerequisites: Node.js environment · Docker for containerized testing
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.5
EPSS 0.0141
EPSS Percentile 69.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-918
Status published
Products (2)
axios/axios 1.3.2 - 1.7.4
npm/axios 1.3.2 - 1.7.4npm
Published Aug 12, 2024
Tracked Since Feb 18, 2026